beats icon indicating copy to clipboard operation
beats copied to clipboard
verified publisher icon elastic

Filebeat not ingesting the new `client.ip` field in Kibana audit log

Open zhwen0 opened this issue 2 years ago • 2 comments

Issue: Kibana audit log field client.ip not ingested by Filebeat 8.7 Description: Kibana 8.7.0 added a new client.ip to its audit log to store the ip address of the client. What's New in 8.7 Audit Logs - HTTP and URL Fields

However, when I use Filebeat 8.7 to ingest the Kibana 8.7 audit logs into Elasticsearch, client.ip is not found any where in the indexed documents.

Looking through the ingest pipeline filebeat-8.7.0-kibana-audit-pipeline-json, and as well as the source elastic/beats/tree/main/filebeat/module/kibana/audit/ingest/pipeline-json.yml on GitHub, it seems that there is no processor handling the client.ip before it was dropped at the final remove processor in the pipeline.

zhwen0 avatar May 22 '23 03:05 zhwen0

This issue doesn't have a Team:<team> label.

botelastic[bot] avatar May 22 '23 04:05 botelastic[bot]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

botelastic[bot] avatar May 21 '24 04:05 botelastic[bot]