missing ident, user auth, response (code) fields will no longer be captured
httpd indicates these nulls as -, meaning that there won't be a 'response' => "-" for such line
referrer and user agent fields will be de-quoted:
previosly: 'referrer' => '"http://semicomplete.com/presentations/logstash-monitorama-2013/"'
changes to: 'referrer' => 'http://semicomplete.com/presentations/logstash-monitorama-2013/'
These changes will be required for (later) ECS mode, the changes in null field matches are less concerning.
However matching http.request.referrer and user_agent.original needs to be "de-quoted" to align with ECS.
Initially thought I'll just target this for master to be released "before" ECS is shipped.
Unfortunately, there isn't a version limiter in the grok filter (s.add_runtime_dependency 'logstash-patterns-core') - so even if this was major it would eventually slip into the next LS (7.x) release.
Reasoning here is that we rather want changes done in relation to ECS to be shipped in one release so users update to changes such as outlined here while still using the legacy set and than handle the new ECS capture names (and type-casts) as the next step. Seems more work and confusion to me to ship these before hand.
kares
commented
4 years ago
NOTE: these changes are the base-line for ECS-ification (https://github.com/logstash-plugins/logstash-patterns-core/pull/267 will rebase off this) and target ecs-wip branch.
Summary of changes :
ident, userauth,response(code) fields will no longer be captured httpd indicates these nulls as-, meaning that there won't be a'response' => "-"for such linereferrerand useragentfields will be de-quoted: previosly:'referrer' => '"http://semicomplete.com/presentations/logstash-monitorama-2013/"'changes to:'referrer' => 'http://semicomplete.com/presentations/logstash-monitorama-2013/'These changes will be required for (later) ECS mode, the changes in null field matches are less concerning. However matching
http.request.referreranduser_agent.originalneeds to be "de-quoted" to align with ECS.Initially thought I'll just target this for master to be released "before" ECS is shipped. Unfortunately, there isn't a version limiter in the grok filter (
s.add_runtime_dependency 'logstash-patterns-core') - so even if this was major it would eventually slip into the next LS (7.x) release.Reasoning here is that we rather want changes done in relation to ECS to be shipped in one release so users update to changes such as outlined here while still using the legacy set and than handle the new ECS capture names (and type-casts) as the next step. Seems more work and confusion to me to ship these before hand.