In the default configuration, Filebeat structures its output documents a little differently from the Logstash Forwarder. This section discusses the differences and the options you have in case you want compatibility with the Logstash Forwarder.

Custom Fields are Grouped Under a "fields" Dictionaryedit

The custom fields (added from the configuration file) are set as top-level fields in Logstash Forwarder but are grouped together under a fields dictionary in Filebeat. If you need the old behavior during the migration phase, you can use the fields_under_root configuration option:

filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/*.log
  document_type: syslog
  fields:
    service: test01
  fields_under_root: true

Filebeat uses "beat.hostname" for Sending the Hostname of the Serveredit

While the Logstash Forwarder sends the hostname of the server it’s running on in the host field, Filebeat uses the beat.hostname field for the same purpose. Because host is commonly used in the Logstash plugin ecosystem, the Beats input plugin automatically copies beat.hostname into host.

The "file" Field Was Renamed to "source"edit

The file field was renamed to source. If you rely on this field being named file, you can rename it by using the mutate filter in Logstash. For example:

filter {
    mutate {
        rename => {
            "source" => "file"
        }
    }
}

The "line" Field Was Removededit

The line field was removed. This field wasn’t correct after restarts, and making it correct would have resulted in a performance penalty. We recommend using the offset field instead.