Skip to content

Use the logs.ecs index instead of logs#17909

Open
rdner wants to merge 1 commit intoelastic:mainfrom
rdner:filestream-rename-logs-index
Open

Use the logs.ecs index instead of logs#17909
rdner wants to merge 1 commit intoelastic:mainfrom
rdner:filestream-rename-logs-index

Conversation

@rdner
Copy link
Member

@rdner rdner commented Mar 19, 2026
edited
Loading

Proposed commit message

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
    - [ ] I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  1. Built this altered integration package with elastic-package build
  2. Then run the registry with elastic-package stack up --version 9.4.0-SNAPSHOT
  3. Create an agent policy with the altered integration (note 2.4.0 version):
Screenshot 2026-03-19 at 17 34 24 Screenshot 2026-03-19 at 17 36 41
  1. Create a new Fleet output which is allowed to write to data streams:
Screenshot 2026-03-19 at 17 41 55
  1. Select this new output in the policy settings:
Screenshot 2026-03-19 at 18 02 34
  1. Install an agent locally (I used 9.3.2, does not have to be 9.4.0):
sudo ./elastic-agent install --develop
  1. Enroll the installed agent with:
sudo elastic-development-agent enroll --url=https://fleet-server:8220 --enrollment-token=<token> --insecure
Screenshot 2026-03-19 at 17 51 20
  1. Check that the test logs got ingested into the logs.ecs index:
Screenshot 2026-03-19 at 17 52 00 Screenshot 2026-03-19 at 17 52 48

We can also inspect the computed filestream configuration in the agent diagnostics:

beat-rendered-config.yml

apm: {}
features:
    features:
        fqdn:
            enabled: false
inputs:
    - clean_inactive: -1
      file_identity:
        fingerprint: null
      id: filestream-filestream.filestream-546d6aa6-3510-4e7c-83fd-c9e8bf21155f
      index: logs.ecs
      paths:
        - /logs/*.log
      processors:
        - add_fields:
            fields:
                input_id: filestream-filestream-546d6aa6-3510-4e7c-83fd-c9e8bf21155f
            target: '@metadata'
        - add_fields:
            fields:
                dataset: filestream.filestream
                namespace: default
                type: logs
            target: data_stream
        - add_fields:
            fields:
                dataset: filestream.filestream
            target: event
        - add_fields:
            fields:
                stream_id: filestream-filestream.filestream-546d6aa6-3510-4e7c-83fd-c9e8bf21155f
            target: '@metadata'
        - add_fields:
            fields:
                id: 6335dc4d-c911-49cf-8ff7-9ff98f7ff161
                snapshot: false
                version: 9.3.2
            target: elastic_agent
        - add_fields:
            fields:
                id: 6335dc4d-c911-49cf-8ff7-9ff98f7ff161
            target: agent
      prospector:
        scanner:
            exclude_files:
                - \.gz$
            fingerprint:
                enabled: true
                length: 1024
                offset: 0
            recursive_glob: true
      type: filestream
outputs:
    elasticsearch:
        api_key: <REDACTED>
        bulk_max_size: 1600
        compression_level: 1
        hosts:
            - https://elasticsearch:9200
        idle_connection_timeout: 3s
        preset: balanced
        queue:
            mem:
                events: 3200
                flush:
                    min_events: 1600
                    timeout: 10s
        ssl:
            ca_trusted_fingerprint: <REDACTED>
            certificate: <REDACTED>
            certificate_authorities: []
        type: elasticsearch
        worker: 1

Related issues

@rdner
Use the logs.ecs index instead of logs
ddb0e16 
When "Use logs data stream" is enabled, we now write to the `logs.ecs`
data stream.
@rdner rdner self-assigned this Mar 19, 2026
@rdner rdner added Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] Integration:filestream Custom Logs (Filestream) labels Mar 19, 2026
@elasticmachine
Copy link

elasticmachine commented Mar 19, 2026

💚 Build Succeeded

cc @rdner

@rdner rdner marked this pull request as ready for review March 19, 2026 17:04
@rdner rdner requested a review from a team as a code owner March 19, 2026 17:04
@rdner rdner requested review from belimawr and orestisfl March 19, 2026 17:04
@elasticmachine
Copy link

elasticmachine commented Mar 19, 2026

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@belimawr belimawr Awaiting requested review from belimawr belimawr is a code owner automatically assigned from elastic/elastic-agent-data-plane

@orestisfl orestisfl Awaiting requested review from orestisfl orestisfl is a code owner automatically assigned from elastic/elastic-agent-data-plane

@flash1293 flash1293 Awaiting requested review from flash1293

@mohamedhamed-ahmed mohamedhamed-ahmed Awaiting requested review from mohamedhamed-ahmed

At least 1 approving review is required to merge this pull request.

Assignees

@rdner rdner

Labels

Integration:filestream Custom Logs (Filestream) Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Filestream] Ship data to logs.ecs instead of logs

2 participants

@rdner @elasticmachine