[GH-ISSUE #1771] [LogstashFormatter] ECS support #750

New issue

Open

opened 2026-03-04 02:17:38 +03:00 by kerem · 3 comments

kerem commented

2026-03-04 02:17:38 +03:00

Owner

Originally created by @rneuter on GitHub (Nov 1, 2022).
Original GitHub issue: https://github.com/Seldaek/monolog/issues/1771

👋

I was wondering if Elastic Common Schema will be supported in the future.

For example, in the ECS, the host field should be an object but is set as a scalar string in the LogstashFormatter.

Since version 8 of the ELK stack, ECS is enabled by default on a new installation causing ingestion errors:

Log sent to Logstash from a classic Symfony / Monolog:

{
    "@timestamp": "2022-11-01T15:12:00.252242+00:00",
    "@version": 1,
    "host": "7f50b1b63228",
    "message": "Authenticator successful!",
    "type": "app",
    "channel": "security",
    "level": "INFO",
    "monolog_level": 200,
    "context": {
        "token": {
            "Lexik\\Bundle\\JWTAuthenticationBundle\\Security\\Authenticator\\Token\\JWTPostAuthenticationToken": "JWTPostAuthenticationToken(user=\"x.com\", authenticated=true, roles=\"ROLE_USER\")"
        },
        "authenticator": "Lexik\\Bundle\\JWTAuthenticationBundle\\Security\\Authenticator\\JWTAuthenticator"
    }
}

Logstash response:

{
    "error": {
        "type": "mapper_parsing_exception",
        "reason": "object mapping for [host] tried to parse field [host] as object, but found a concrete value"
    }
}

Support of ECS will bring breaking changes but definitely avoid extra setup time on new installations, which should increase time after time.

I'm not sure of how many fields are concerned but from what I see maybe it's only the host field.

Let me know if you are interested about feedback or to discuss on this!

Originally created by @rneuter on GitHub (Nov 1, 2022). Original GitHub issue: https://github.com/Seldaek/monolog/issues/1771 :wave: I was wondering if [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/8.4/ecs-reference.html#_what_is_ecs) will be supported in the future. For example, in the ECS, the host field [should be an object](https://www.elastic.co/guide/en/ecs/8.4/ecs-host.html) but is set as a [scalar string in the LogstashFormatter](https://github.com/Seldaek/monolog/blob/6627c092d8a22e3e5b634744ad658652563906a2/src/Monolog/Formatter/LogstashFormatter.php#L73). Since version 8 of the ELK stack, ECS is enabled by default on a new installation causing ingestion errors: Log sent to Logstash from a classic Symfony / Monolog: ```json { "@timestamp": "2022-11-01T15:12:00.252242+00:00", "@version": 1, "host": "7f50b1b63228", "message": "Authenticator successful!", "type": "app", "channel": "security", "level": "INFO", "monolog_level": 200, "context": { "token": { "Lexik\\Bundle\\JWTAuthenticationBundle\\Security\\Authenticator\\Token\\JWTPostAuthenticationToken": "JWTPostAuthenticationToken(user=\"x.com\", authenticated=true, roles=\"ROLE_USER\")" }, "authenticator": "Lexik\\Bundle\\JWTAuthenticationBundle\\Security\\Authenticator\\JWTAuthenticator" } } ``` Logstash response: ```json { "error": { "type": "mapper_parsing_exception", "reason": "object mapping for [host] tried to parse field [host] as object, but found a concrete value" } } ``` Support of ECS will bring breaking changes but definitely avoid extra setup time on new installations, which should increase time after time. I'm not sure of how many fields are concerned but from what I see maybe it's only the `host` field. Let me know if you are interested about feedback or to discuss on this!

kerem added the

Feature

Needs Work

labels

2026-03-04 02:17:38 +03:00

kerem commented

2026-03-04 02:17:39 +03:00

Author

Owner

@Seldaek commented on GitHub (Feb 4, 2023):

I guess this could be a configurable flag on LogstashFormatter so one can enable ECS support, and maybe a deprecation warning if not enabled so people are nudged to migrate slowly and in monolog 4 we can enable by default?

@Seldaek commented on GitHub (Feb 4, 2023): I guess this could be a configurable flag on LogstashFormatter so one can enable ECS support, and maybe a deprecation warning if not enabled so people are nudged to migrate slowly and in monolog 4 we can enable by default?

kerem commented

2026-03-04 02:17:39 +03:00

Author

Owner

@Seldaek commented on GitHub (Feb 4, 2023):

In any case PR welcome, I don't have access to an ECS stack so rather have someone knowledgeable do this.

@Seldaek commented on GitHub (Feb 4, 2023): In any case PR welcome, I don't have access to an ECS stack so rather have someone knowledgeable do this.

kerem commented

2026-03-04 02:17:39 +03:00

Author

Owner

@vivere-dally commented on GitHub (Dec 28, 2023):

I think renaming to hostname instead of host would be sufficent

@vivere-dally commented on GitHub (Dec 28, 2023): I think renaming to `hostname` instead of `host` would be sufficent

kerem referenced this issue

2026-03-04 03:09:42 +03:00

[PR #750] [MERGED] use maintained package reference in suggestion #1328