Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Broken host mapping for ECS #39

Closed
petritz opened this issue Apr 29, 2019 · 2 comments · Fixed by #91
Closed

Broken host mapping for ECS #39

petritz opened this issue Apr 29, 2019 · 2 comments · Fixed by #91
Assignees
@eht16
Labels
ecs enhancement

Comments

@petritz
Copy link

petritz commented Apr 29, 2019

With Elasticsearch 7.0 elastic common schema (ECS) was introduced. This maps the hostname to host.name instead of host. Currently logstash_async fails with:

[2019-04-29T08:04:22,562][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash", :_type=>"_doc", :routing=>nil}, #LogStash::Event:0x27275849], :response=>{"index"=>{"_index"=>"logstash-2019.04.26-000001", "_type"=>"_doc", "_id"=>"tRAfaGoB1XS_Z1QomfCX", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [host] tried to parse field [host] as object, but found a concrete value"}}}}

As a workaround we changed formatter.LogstashFormatter.format to:

message = {
       	    '@timestamp': self._format_timestamp(record.created),
            '@version': '1',
       	    'host.name': self._host,  # <-- FIXED: was: 'host': ...
       	    'level': record.levelname,
            'logsource': self._logsource,
            'message': record.getMessage(),
            'pid': record.process,
            'program': self._program_name,
       	    'type': self._message_type,
        }
@eht16
Copy link
Owner

eht16 commented May 5, 2019

ECS sounds great, hopefully it will work and makes the logging world a bit better and more structured.

I think I will implement it here as well, just not yet sure how exactly. Probably with a new Formatter subclass to implement ECS.
The previous behavior probably should stay the default to not break existing setups which are pre-ECS.
So users would have to actively switch to the new scheme.

Until implemented, an easier workaround for ECS/ES7 users is to using the mutate filter plugin in Logstash to reformat the event.
Actually, the mentioned host field is only one example (and it's just crashing here due to the name/type conflict) but ECS defines more fields which should be updated in the Formatter class.

@eht16 eht16 self-assigned this May 5, 2019
@redNixon
Copy link

Despite its best intentions(and maybe a little vendor-lockin), ECS claiming ownership over generic and often utilized fieldname like "host" and "agent" I don't think was thoughtout well enough(the seemingly impossible to permanently override beats behavior to send these doesn't help matters).

If this library does adopt a ECS-by-default mode, care to not overwrite user defined fields should be taken as I do not believe the generic terms ECS is using suddenly becoming reserved words is a reasonable stance.

@eht16 eht16 added the ecs label Dec 20, 2023
@eht16 eht16 mentioned this issue Dec 20, 2023
Closed
@andriilahuta andriilahuta mentioned this issue Dec 26, 2023
Merged
@eht16 eht16 closed this as completed in #91 Feb 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eht16 eht16

Labels
ecs enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add ECS support andriilahuta/python-logstash-async
3 participants
@eht16 @redNixon @petritz