From 41271feb2e39c812bf11bf72eb36534e2308bdf6 Mon Sep 17 00:00:00 2001 From: SG Date: Mon, 8 Jan 2024 10:20:48 -0700 Subject: [PATCH] idaholab/Malcolm#318, third party logs are not parsed correctly from fluentbit -> fluentd aggregator -> Malcolm --- logstash/pipelines/beats/11_beats_logs.conf | 29 ++++++++++----------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/logstash/pipelines/beats/11_beats_logs.conf b/logstash/pipelines/beats/11_beats_logs.conf index 15d46d3a2..b1ed20bc4 100644 --- a/logstash/pipelines/beats/11_beats_logs.conf +++ b/logstash/pipelines/beats/11_beats_logs.conf @@ -8,6 +8,20 @@ filter { # move a couple of things identifying the event source from under miscbeat up to the top level + if ([miscbeat][message][module]) and (![miscbeat][module]) { + # special case to handle fluent-bit -> fluentd.loomsystems -> filebeat TCP input + # move entire "message" contents up to root + # https://github.com/idaholab/Malcolm/issues/318 + ruby { + id => "ruby_miscbeat_message_move_up" + code => " + event.get('[miscbeat][message]').each { |k, v| + event.set('[miscbeat][' + k + ']', v) + } + event.remove('[miscbeat][message]') + " + } + } if ([miscbeat][host]) { ruby { id => "ruby_miscbeat_host_merge" @@ -78,21 +92,6 @@ filter { # https://docs.fluentbit.io/manual/ # https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html - if (![miscbeat][module]) and ([miscbeat][message][module]) { - # special case to handle fluent-bit -> fluentd.loomsystems -> filebeat TCP input - # move entire "message" contents up to root - # https://github.com/idaholab/Malcolm/issues/318 - ruby { - id => "ruby_miscbeat_message_move_up" - code => " - event.get('[miscbeat][message]').each { |k, v| - event.set('[miscbeat][' + k + ']', v) - } - event.remove('[miscbeat][message]') - " - } - } - # set event.module to whatever we set "module" to when running fluentbit if ([miscbeat][module]) { mutate { id => "mutate_replace_event_module_miscbeat_module"