The Logstash configurations shown in the section about working with Filebeat modules use the old field names generated by Beats. As part of our move to ECS, we need to update the configs for 7.0 and later to use the new field names. The config examples have not been updated for awhile, so some of them use field names that were removed in previous releases, making it a little harder to figure out the correct fields to use.

@karenzone Do you know if there is a good/easy way to convert logstash configs to use the ECS fields? Are we planning some kind of migration tool that could help us here? I started to convert them by hand (because I wanted to remove references to apache2), but quickly learned that it's not a trivial effort.