Rename source field in Filebeat
#8902
Conversation
ruflin
added
in progress
filebeat/input/udp/input.go
Outdated
| @@ -74,7 +74,9 @@ func NewInput( | |||
| }, | |||
| Fields: common.MapStr{ | |||
| "message": string(data), | |||
| "source": metadata.RemoteAddr.String(), | |||
| "source": common.MapStr{ | |||
There was a problem hiding this comment.
@ph Does this make sense for udp, tcp and syslog?
|
@ph @andrewkroh @webmat I actually have second thoughts here about the proposed fields. The |
There was a problem hiding this comment.
LGTM
I agree with nesting this information under log.. Without it, you're right that there's a conflict with this meta information about the source of the event, and the event content itself.
And I also like that you're keeping the full name of log.file.path. It opens up the possibility to fill up more of the file fields under there with log file metadata (e.g. log.file.owner & so on), if someone ever needs this.
|
@ruflin proposed changes LGTM |
|
Since this is one field being split in two locations (file path vs IP), we can't list it in |
|
@webmat I'll figure out a way to list it |
ruflin
changed the title
source field in Filebeatsource field in Filebeat
ruflin
added
review
and removed
in progress
ruflin
force-pushed
the
convert-source-filebeat
branch
2 times, most recently
from
7885f48 to
cb16cbf
Compare
ruflin
force-pushed
the
convert-source-filebeat
branch
from
cb16cbf to
f7b8647
Compare
CHANGELOG.asciidoc
Outdated
| @@ -20,6 +20,7 @@ https://github.com/elastic/beats/compare/v6.4.0...master[Check the HEAD diff] | |||
| - Use `initial_scan` action for new paths. {pull}7954[7954] | |||
|
|
|||
| *Filebeat* | |||
| - Move source to log.file.path and log.source.ip | |||
There was a problem hiding this comment.
I'd use "Rename" rather than "Move".
filebeat/_meta/fields.common.yml
Outdated
| type: ip | ||
| required: false | ||
| description: > | ||
| Source ip from which the log event was read / sent from. |
CHANGELOG.asciidoc
Outdated
| @@ -20,7 +20,7 @@ https://github.com/elastic/beats/compare/v6.4.0...master[Check the HEAD diff] | |||
| - Use `initial_scan` action for new paths. {pull}7954[7954] | |||
|
|
|||
| *Filebeat* | |||
|
|
|||
There was a problem hiding this comment.
Nit: You've removed the empty line between the header (Filebeat) and the list of changes
There was a problem hiding this comment.
Will fix this in a follow up PR
| @@ -16,6 +16,7 @@ | |||
| "http.request.method": "GET", | |||
| "http.response.status_code": "200", | |||
| "input.type": "log", | |||
| "log.file.path": "/Users/ruflin/Dev/gopath/src/github.com/elastic/beats/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log", | |||
| "log.offset": 0, | |||
There was a problem hiding this comment.
As this field is ignored by test_modules.py, can we get rid of this entries?
There was a problem hiding this comment.
Good question. Will need to investigate. Will also tackle this in one of the other PR's that is conflicting with this one as soon as it's merged if that is ok with you?
There was a problem hiding this comment.
You got lucky, have to rebase now anyways. Will fix these issues.
ruflin
force-pushed
the
convert-source-filebeat
branch
from
13db3e9 to
a1437a9
Compare
ruflin
changed the title
source field in Filebeatsource field in Filebeat
ruflin
force-pushed
the
convert-source-filebeat
branch
from
a1437a9 to
f1cdd06
Compare
The source field in Filebeat was used to store the file path for logs or the source ip for syslog, udp, tcp input. As source is in ECS an object the fields are now moved to ECS pattern. * For UDP, TCP, syslog input the source field is converted to log.source.ip * For the log input the source field is converted to log.file.path Done: * Test files updated * Changelog updated * Migration file updated * `source` removed from fields.yml, two new fields added
ruflin
force-pushed
the
convert-source-filebeat
branch
from
f1cdd06 to
b659e10
Compare
|
Ready for an other round of reviews. Failing tests should not be related. |
Related to elastic#8902 but adding the fields instead of replacing
The source field in Filebeat was used to store the file path for logs or the source ip for syslog, udp, tcp input. As source is in ECS an object the fields are now moved to ECS pattern.
Done:
sourceremoved from fields.yml, two new fields added