Filebeat linux source: unknown

Hi,
I’m struggling with this for a while. I have Filebeat running, and it is sending logs successfully, but in the Graylog UI the source appears as unknown.

I have tried without fields_under_root, but it seems it stops sending at all.
Is there any way to parametrize source field in Graylog?

My filebeat config:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}

fields.gl2_source_collector: ${sidecar.nodeId}
source: node_name
filebeat.config.modules:
  reload.enabled: false
type: log
enabled: true
filebeat.inputs:
- input_type: log
  paths:
    - /opt/logs/*.log
  type: log
output.logstash:
   hosts: ["${user.BeatsInput}"]
path:
  data: /var/lib/graylog-sidecar/collectors/filebeat/data
  logs: /var/lib/graylog-sidecar/collectors/filebeat/log
tags:
 - ${sidecar.operatingSystem}

I can’t test it right now but my first guess is instead of

source: node_name

you could try

fields.source: ${sidecar.nodeName}

@wmlodzianowski simple as @tmacgbay suggest.

put in your third line:

fields.source: ${sidecar.nodeName}

that should be fixed now.

Thanks guys, but I have already tried it and it puts the name in the field filebeat.source thanks to fields_under_root: true and I want it to be in source column in graylog ui. I tried also to set fields_under_root: false and provide Graylog fields by full path but then it doesn’t send logs at all.

so, did you checked the box at the beats input? The very last one? What is the exact configuration of your beats input on Graylog

it was unchecked. Checking it did the trick. Thanks a lot!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.