Hey all.
I’m using graylog with beats input and journalbeat container to send logs from systemd journal to graylog.
The thing is that there are a lot of fields (the majority of them) that graylog is showing as beat_journal_fieldname (see the image bellow).
I’d like to rename them to only fieldname.
How can I check if it is journalbeat that is sending it like that, or if it is graylog that is renaming the fields?
Thank you.
Beats would be renaming the fields, you can rename the fields utilizing a pipeline. Here’s an example when beats sends over Sysmon logs. https://github.com/ion-storm/Graylog_Sysmon/blob/master/Pipelines/sysmon%20cleanup
You could essentially create a pipeline that would look like such for each field:
rule "Journal Cleanup or Whatever"
when
has_field("beat_type") && contains(to_string($message.beat_type), "journal")
then
rename_field("beat_type", "type");
end
EDIT: Also, it’s been a while since I’ve used beats, but you should also be able to configure it to not rename your fields if I’m not mistaken.
hej @fbueno
just use pipelines (as already suggested) - some good idea can be found in this blog posting
https://www.graylog.org/blog/83-back-to-basics-enhance-windows-security-with-sysmon-and-graylog
That should give you the basics how to create that processing pipeline and how the rules should be created.
Thank you very much guys. It worked
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.