Plz check the source fileld (filebeat 8.6.2) #34691

15250980346 · 2023-02-28T06:00:01Z

Please post all questions and issues on https://discuss.elastic.co/c/beats
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.

For security vulnerabilities please only send reports to security@elastic.co.
See https://www.elastic.co/community/security for more information.

Please include configurations and logs if available.

For confirmed bugs, please report:

Version: 8.6.2
Operating System: ubuntu
Discuss Forum URL:
- Steps to Reproduce: when i update the filebeat version from 6.8.22 to 8.6.2 ,i find the filebeat lost the fields(source)

filebeat:6.8.22
{
"@timestamp": "2023-02-27T08:41:20.883Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.8.22",
"topic": "aep-logs"
},
"offset": 880055979,
"prospector": {
"type": "log"
},
"fields": {
"location": "苏州云",
"vpc": "899d1aef-902a-4cfb-8ec3-8630054c0809",
"system": "aep",
"type": "log",
"environment": "dev_aep_ccse",
"topic": "aep-logs",
"zone": "苏州云"
},
"meta": {
"cloud": {
"provider": "openstack",
"instance_id": "i-0021e4ba",
"machine_type": "s6.2xlarge.2",
"instance_name": "ecs-dcb1-0519472.novalocal",
"availability_zone": "cn-jssz1c"
}
},
"input": {
"type": "log"
},
"beat": {
"name": "aep-logcenter-filebeat-kk8vx",
"hostname": "aep-logcenter-filebeat-kk8vx",
"version": "6.8.22"
},
"host": {
"name": "aep-logcenter-filebeat-kk8vx",
"os": {
"codename": "Core",
"platform": "centos",
"version": "7 (Core)",
"family": "redhat",
"name": "CentOS Linux"
},
"containerized": false,
"ip": [
"172.26.229.3"
],
"mac": [
"f2:dd:5b:3d:7c:e1"
],
"architecture": "x86_64"
},
"source": "/data/logs/js_product/aep-da-emq/emqx@172.25.243.24.log",
"log": {
"file": {
"path": "/data/logs/js_product/aep-da-emq/emqx@172.25.243.24.log"
}
},
"message": "2023-02-27 16:41:19.646 info [emqx,,,,] 1 --- [<0.2434.0>] emqx_connection:535 : [<<"emqtt-emqx-redis-expired-6fb485db56-8vwcb-ed245bdeb9b543611587">>] RECV PUBLISH(Q0, R0, D0, Topic=redis/up/expired, PacketId=undefined, Payload=<<"{\"topics\":[],\"msgids\":[],\"sources\":[],\"tasktypes\":[],\"imeis\":[]}">>)",
"tags": [
"aep-logs"
]

filebeat 8.6.2
{
"@timestamp": "2023-02-27T08:38:12.200Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "8.6.2"
},
"fields": {
"zone": "苏州云",
"location": "苏州云",
"vpc": "899d1aef-902a-4cfb-8ec3-8630054c0809",
"system": "aep",
"type": "log",
"environment": "dev_aep_ccse",
"topic": "aep-logs"
},
"ecs": {
"version": "8.0.0"
},
"cloud": {
"service": {
"name": "ECS"
},
"provider": "huawei",
"instance": {
"id": "84f64ac2-8b8f-4187-b2d9-f06f2d6c02e2"
},
"region": "",
"availability_zone": "cn-jssz1c"
},
"log": {
"file": {
"path": "/data/logs/test_aep/aep-iam-aepiamdeviceportal/aep-iam-aepiamdeviceportal_172.26.56.229_0_info.log"
},
"flags": [
"multiline"
],
"offset": 76954
},
"message": "2023-02-27 16:38:06.995 INFO [aep-iam-deviceportal,172.26.56.229_aep-iam-aepiamdeviceportal^1676512569055^144,7977709314779737570,-1,true] 1 --- [http-nio-8777-exec-8] c.e.a.i.d.p.c.FeignConfiguration:36 : feign interceptor header:POST /device.auth HTTP/1.1\nContent-Type: application/json\nContent-Length: 205\nx-alogic-now: 1677487086986\nx-alogic-app: 15156464522591328\nx-alogic-signature: 2CM0jDfnYFeE29wLOkT7m1HRYryLnBV_xNMXvHHd4_E\nhost: aep-iam-aepiamdeviceportal:8777\nuser-agent: hackney/1.12.1\ncontent-length: 181\n\n{"data":{"tenantId":2000078026,"deviceId":"15168103","verifier":"password","signature":"MgLkaRNJIty4gwL3GO0eKvMh7rIq02Mzdxe2ChztANI","signed":"undefined","imsi":null,"ipInfo":null,"devId":"1516810322222"}}",
"tags": [
"aep-logs"
],
"input": {
"type": "log"
},
"agent": {
"version": "8.6.2",
"ephemeral_id": "7d23d1ae-8841-491f-bce1-bd38d00595df",
"id": "8b11db79-911b-4ac3-894c-20084a7027df",
"name": "aep-logcenter-filebeat-xpd9h",
"type": "filebeat"
},
"host": {
"os": {
"family": "debian",
"name": "Ubuntu",
"kernel": "4.4.246-1.el7.elrepo.x86_64",
"codename": "focal",
"type": "linux",
"platform": "ubuntu",
"version": "20.04.5 LTS (Focal Fossa)"
},
"name": "aep-logcenter-filebeat-xpd9h",
"containerized": true,
"ip": [
"172.26.56.234"
],
"mac": [
"3A-FC-73-89-03-3C"
],
"hostname": "aep-logcenter-filebeat-xpd9h",
"architecture": "x86_64"
}
}

leweafan · 2023-02-28T22:24:11Z

This is not a bug and not an issue and should not be posted here. As said in description questions should be posted on https://discuss.elastic.co
Source field has been replaced by log.file.path and source become an object and used for subfields like source.ip.

elasticmachine · 2023-03-01T17:52:53Z

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

michel-laterman · 2023-03-01T17:56:17Z

@leweafan is correct, the field was renamed in the 7.0.0 release: https://www.elastic.co/guide/en/beats/libbeat/7.17/release-notes-7.0.0.html
pr: #8902

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Feb 28, 2023

15250980346 changed the title ~~Plz check the source fileld(filebeat 8.6.2)~~ Plz check the source fileld (filebeat 8.6.2) Feb 28, 2023

michel-laterman added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Mar 1, 2023

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Mar 1, 2023

michel-laterman closed this as completed Mar 1, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Plz check the source fileld (filebeat 8.6.2) #34691

Plz check the source fileld (filebeat 8.6.2) #34691

15250980346 commented Feb 28, 2023

leweafan commented Feb 28, 2023

elasticmachine commented Mar 1, 2023

michel-laterman commented Mar 1, 2023

Plz check the source fileld (filebeat 8.6.2) #34691

Plz check the source fileld (filebeat 8.6.2) #34691

Comments

15250980346 commented Feb 28, 2023

leweafan commented Feb 28, 2023

elasticmachine commented Mar 1, 2023

michel-laterman commented Mar 1, 2023