Beats metadata changes in 7.x - Hostname Unknown #6501
Comments
|
I would only consider everything 6.x in the elastic stack compatible with graylog. |
|
I also encountered such a problem, I hope you can solve it. Thank you very much! |
mpfz0r
added a commit
that referenced
this issue
Apr 14, 2020
Beats 7.0 changed a lot of their field name schema. https://www.elastic.co/guide/en/beats/libbeat/7.x/breaking-changes-7.0.html#_field_name_changes This is a minimal change to extract the hostname from pre-7 and post-7 type beats messages. Fixes #6501
bernd
pushed a commit
that referenced
this issue
Apr 16, 2020
Beats 7.0 changed a lot of their field name schema. https://www.elastic.co/guide/en/beats/libbeat/7.x/breaking-changes-7.0.html#_field_name_changes This is a minimal change to extract the hostname from pre-7 and post-7 type beats messages. Fixes #6501
mpfz0r
added a commit
that referenced
this issue
Apr 16, 2020
Beats 7.0 changed a lot of their field name schema. https://www.elastic.co/guide/en/beats/libbeat/7.x/breaking-changes-7.0.html#_field_name_changes This is a minimal change to extract the hostname from pre-7 and post-7 type beats messages. Fixes #6501 (cherry picked from commit 5061d81)
bernd
pushed a commit
that referenced
this issue
Apr 16, 2020
Beats 7.0 changed a lot of their field name schema. https://www.elastic.co/guide/en/beats/libbeat/7.x/breaking-changes-7.0.html#_field_name_changes This is a minimal change to extract the hostname from pre-7 and post-7 type beats messages. Fixes #6501 (cherry picked from commit 5061d81)
|
Winlogbeat 7.7.1 issue still exists |
|
@redhatromero hmm, I tested this with 7.6.2. Which Graylog version are you using? |
|
Graylog 3.2.4 |
This has been fixed in 3.2.5. you need to upgrade |
|
ok... I will do that. thanks for the feedback. |
|
once upgraded to the latest, currently 3.2.6, im no longer seeing ms windows servers appear in the ui as "source:unknown". this does not seem to affect any logs captured prior to the upgrade but the current and going forward look as though they will appear as expected. thanks @mpfz0r |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In Filebeat 7.x (and in Beats 7.x in general), the path to certain metadata has changed. In particular, what was formerly under the
beatskey is now under theagentkey, andbeats.hostnamehas becomeagent.hostname. Because the Beats2 codec looks forbeats.hostnameto determine the sender of the message, all messages sent by Filebeat 7.x (and presumably messages sent by other Beats such as AuditBeat) now havesource: unknown.Expected Behavior
The Beats2 input should correctly determine the hostname of the sender regardless of the version of the Beat the message was sent by.
Current Behavior
The Beats2 input can only determine the hostname of the sender for Beats versions 6.x or lower, and fails to determine the hostname from messages sent by Beats versions 7.x or higher.
Possible Solution
Check the
@metadata.versionfield and switch which parent field to look at on line 91 based on the results.Alternatively, simply check for both
agent.hostnameandbeats.hostname, picking whichever one actually exists.Steps to Reproduce (for bugs)
hostnamekey is now a child of theagentkey rather than thebeatkey (which no longer exists at all).Context
We've updated to Filebeat 7.x in some environments and discovered that message source is no longer recorded correctly. Of course, the required information is still present in the message, so we can work around this with pipeline processing, but this is something that should work out of the box.
Your Environment
The text was updated successfully, but these errors were encountered: