python-logstash-async icon indicating copy to clipboard operation
python-logstash-async copied to clipboard

Published 20 hours ago verified publisher icon eht16

Broken host mapping for ECS

Open petritz opened this issue 6 years ago • 2 comments

With Elasticsearch 7.0 elastic common schema (ECS) was introduced. This maps the hostname to host.name instead of host. Currently logstash_async fails with:

[2019-04-29T08:04:22,562][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash", :_type=>"_doc", :routing=>nil}, #LogStash::Event:0x27275849], :response=>{"index"=>{"_index"=>"logstash-2019.04.26-000001", "_type"=>"_doc", "_id"=>"tRAfaGoB1XS_Z1QomfCX", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [host] tried to parse field [host] as object, but found a concrete value"}}}}

As a workaround we changed formatter.LogstashFormatter.format to:

message = {
       	    '@timestamp': self._format_timestamp(record.created),
            '@version': '1',
       	    'host.name': self._host,  # <-- FIXED: was: 'host': ...
       	    'level': record.levelname,
            'logsource': self._logsource,
            'message': record.getMessage(),
            'pid': record.process,
            'program': self._program_name,
       	    'type': self._message_type,
        }

petritz avatar Apr 29 '19 08:04 petritz

ECS sounds great, hopefully it will work and makes the logging world a bit better and more structured.

I think I will implement it here as well, just not yet sure how exactly. Probably with a new Formatter subclass to implement ECS. The previous behavior probably should stay the default to not break existing setups which are pre-ECS. So users would have to actively switch to the new scheme.

Until implemented, an easier workaround for ECS/ES7 users is to using the mutate filter plugin in Logstash to reformat the event. Actually, the mentioned host field is only one example (and it's just crashing here due to the name/type conflict) but ECS defines more fields which should be updated in the Formatter class.

eht16 avatar May 05 '19 20:05 eht16

Despite its best intentions(and maybe a little vendor-lockin), ECS claiming ownership over generic and often utilized fieldname like "host" and "agent" I don't think was thoughtout well enough(the seemingly impossible to permanently override beats behavior to send these doesn't help matters).

If this library does adopt a ECS-by-default mode, care to not overwrite user defined fields should be taken as I do not believe the generic terms ECS is using suddenly becoming reserved words is a reasonable stance.

redNixon avatar Dec 21 '19 06:12 redNixon