Version requirements?

Question

Version requirements?

fribse opened this issue 4 years ago · 2 comments

Hi there I have a filebeat 6.5.1 and our elastic stack is also at 6.5.1.
When I set up the filebeat it does say it finds 1 input (dedicated postfix server), but I don't see anything arriving on the logstash. It does have access, as I can telnet to the port from the filebeat server, so I was wondering if the syntax used in the configs.d is only available for 7.x filebeats?

Answer 1 · 2021-07-16T20:10:09.000Z

Hello, @fribse
I had the same issue. FIxed it with following 51-filter-postfix-aggregate.conf:

filter {
  if [program] == "postfix/qmgr" and [postfix_from] {
    aggregate {
      task_id => "%{postfix_queueid}"
      code => "
        map['postfix_from'] = event.get('postfix_from')
        map['postfix_size'] = event.get('postfix_size')
        map['postfix_nrcpt'] = event.get('postfix_nrcpt')
      "
    }
  } else if [program] == "postfix/smtp" {
    aggregate {
      task_id => "%{postfix_queueid}"
      code => "
       map.each do |key, value|
         event.set(key, value)
       end
     "
    }
  }
  if [program] == "postfix/smtp" and [postfix_tls_version] {
     drop {}
  }
  if [postfix] and [program] != "postfix/smtp" {
    drop {}
  }
}

Working properly on ELK 6 and 7
Thank you

Answer 2 · 2023-10-11T06:40:54.000Z

I was trying with ELK 6.5 and it is asking for .ndjson files. Would it be possible for you to share the UI dashboard .json and configuration files that work with ELK 6 and 7?