While testing the journald input from master I found that the event format changed from what it produced in 7.x. I don't think this was intentional. It no longer translates the field names as described in the docs.
{
"@timestamp": "2022-01-26T15:45:33.876Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "8.1.0"
},
"_HOSTNAME": "ubuntu",
"agent": {
"ephemeral_id": "487ca4cf-400e-4b10-93ac-dd181aa48a04",
"id": "30326e16-e7ec-4db4-ace4-6afabefc84cb",
"name": "ubuntu-impish",
"type": "filebeat",
"version": "8.1.0"
},
"host": {
"name": "ubuntu-impish"
},
"PRIORITY": "6",
"_MACHINE_ID": "d0bf0d000d034a4e93307255268a3a69",
"_TRANSPORT": "kernel",
"ecs": {
"version": "8.0.0"
},
"_BOOT_ID": "b8d3fca6f9f44ad1acdefef51ce2b8b7",
"_SOURCE_MONOTONIC_TIMESTAMP": "389271",
"tags": [
"NEW"
],
"message": "Kprobes globally optimized",
"SYSLOG_FACILITY": "0",
"SYSLOG_IDENTIFIER": "kernel",
"input": {
"type": "journald"
}
}
While testing the journald input from master I found that the event format changed from what it produced in 7.x. I don't think this was intentional. It no longer translates the field names as described in the docs.
{ "@timestamp": "2022-01-26T15:45:33.876Z", "@metadata": { "beat": "filebeat", "type": "_doc", "version": "8.1.0" }, "_HOSTNAME": "ubuntu", "agent": { "ephemeral_id": "487ca4cf-400e-4b10-93ac-dd181aa48a04", "id": "30326e16-e7ec-4db4-ace4-6afabefc84cb", "name": "ubuntu-impish", "type": "filebeat", "version": "8.1.0" }, "host": { "name": "ubuntu-impish" }, "PRIORITY": "6", "_MACHINE_ID": "d0bf0d000d034a4e93307255268a3a69", "_TRANSPORT": "kernel", "ecs": { "version": "8.0.0" }, "_BOOT_ID": "b8d3fca6f9f44ad1acdefef51ce2b8b7", "_SOURCE_MONOTONIC_TIMESTAMP": "389271", "tags": [ "NEW" ], "message": "Kprobes globally optimized", "SYSLOG_FACILITY": "0", "SYSLOG_IDENTIFIER": "kernel", "input": { "type": "journald" } }