From ae1e994eabc5228384d97aa00841a0e123d31964 Mon Sep 17 00:00:00 2001
From: Vincent SELLIER <vincent.sellier@softwareheritage.org>
Date: Mon, 22 Nov 2021 14:19:31 +0100
Subject: [PATCH] logstash: rename syslog facility to facility_name when it's a
 string

Such facility ids are generated by NetworkManager but the journalbeat
index mapping is expecting a long (7.15.2)

Related to T3705
---
 site-modules/profile/templates/logstash/filter.conf.erb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/site-modules/profile/templates/logstash/filter.conf.erb b/site-modules/profile/templates/logstash/filter.conf.erb
index 238081665..8d54473cd 100644
--- a/site-modules/profile/templates/logstash/filter.conf.erb
+++ b/site-modules/profile/templates/logstash/filter.conf.erb
@@ -30,6 +30,11 @@ filter {
       }
     }
   } else {
+    if [syslog][facility] !~ /^\d+$/ {
+      mutate {
+        rename => { "[syslog][facility]" => "[syslog][facility_name]" }
+      }
+    }
     if [@metadata][version] {
       mutate {
         add_field => {
-- 
GitLab