I have a bunch of nodes running filebeat feeding logstash. I’ve tried feeding the logstash output into Graylog in GELF format.
With filebeat 5.x this is working OK and the source field contains the host from the original filebeat message.
With filebeat 6, filebeat changed the format of the host to be a structure (https://github.com/elastic/beats/issues/8655) and now I end up with all this as the source:
{"name":"rs3","id":"7a6167605f6040d2a78d3f315d24bd70","os":{"name":"Debian GNU/Linux","family":"debian","version":"10 (buster)","platform":"debian","codename":"buster"},"containerized":false,"architecture":"x86_64"}
How would I tell graylog to fix this?
It actually works fine if I connect filebeat directly to a beats input, it’s just an issue going via logstash + gelf.