Filebeat source:unknown, no agent.hostname field

[NomAnor]

I'm testing graylog with the filebeat journald input and the source field shows unknown.
In #6501 the same problem was fixed because of a rename in newer Beats versions.

Looking through the Beat documentation it looks like the agent.hostname field is deprecated and the agent.name field should be used: https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-beat-common.html

Expected Behavior

Source field shows the hostname of the filebeat agent.

Current Behavior

Source field shows "unknown".

Possible Solution

Extend the source parsing such that agent.name and agent.id are also considered.

graylog2-server/graylog2-server/src/main/java/org/graylog/plugins/beats/Beats2Codec.java

Line 96 in 1afa5b7

final String hostname = agentOrBeat.path("hostname").asText(BEATS_UNKNOWN);

Steps to Reproduce (for bugs)

1. Run the docker-compose.yml from the Graylog Documentation
2. Configure beats input
3. Run filebeat using the journald input

Your Environment

Arch Linux with filebeat 8.3.3 built from the AUR package.

Filebeat config:

filebeat.inputs:
  - type: journald
    id: journal

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

setup.template.settings:
  index.number_of_shards: 1

output.logstash:
  hosts:
    - "localhost:5044"

processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

• Graylog Version: 4.2
• Java Version:
• Elasticsearch Version: 7.10.2
• MongoDB Version: 4.2
• Operating System: Arch Linux
• Browser version: Firefox 103.0.2