Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make compatible to plain logs *and* filebeat icinga module #45

Open
widhalmt opened this issue Oct 17, 2019 · 3 comments
Open

Make compatible to plain logs *and* filebeat icinga module #45

widhalmt opened this issue Oct 17, 2019 · 3 comments
Assignees
@bobapple
Labels
ecs Compatibility to Elastic Common Schema question Further information is requested

Comments

@widhalmt
Copy link
Member

The current version supports shipping the logs just like they are from the filesystem but they can not deal with logs that are preprocessed by the icinga module of filebeat. We should introduce an if to handle both.
@widhalmt
Copy link
Member Author

There are some fields from the icinga module that have a different naming scheme than what we use in this pipeline.

I see icinga.main.facility instead of icinga.facility and log.level instead of icinga.severity. Was this implemented by the icinga team or was this done by Elastic while updateing the beat to 7.x? Should we follow the change with the Icinga Logstash pipeline? @bobapple could you shed some light where these changes in the icinga module for filebeat come from?

@widhalmt widhalmt added question Further information is requested ecs Compatibility to Elastic Common Schema labels Oct 18, 2019
@widhalmt
Copy link
Member Author

According to "blame" on https://github.com/elastic/beats/blame/master/filebeat/module/icinga/main/ingest/pipeline.json this was changed by elastic/beats#9294 during conversion to ECS .

It looks like we should follow the changes.

@widhalmt
Copy link
Member Author

I involved the Elastic community into this discussion, too: https://discuss.elastic.co/t/implementing-ecs-with-custom-fields/204184

widhalmt added a commit that referenced this issue Oct 21, 2019
@widhalmt
Add if to check whether events come from plain logfiles or icinga
4dc0e82 
… module in filebeat

Rename `facility` field to align with `icinga` module in filebeat

helps with #45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bobapple bobapple

Labels
ecs Compatibility to Elastic Common Schema question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@widhalmt @bobapple