Cannot invoke \"String.length()\" because \"str\" is null

Working on migrating Windows DNS logs to data stream and seeing a lot of errors.

[2022-05-26T13:43:37,457][INFO ][logstash.outputs.elasticsearch][filebeat-dns-dhcp][7fe0474f97756847637aa742a5ac38f62e0e1460d0c70da893dabe9614baac8f] Retrying failed action {:status=>500, :action=>["create", {:_id=>nil, :_index=>"logs-dns-default", :routing=>nil}, {"dns.subdomainname"=>"my", "input"=>{"type"=>"filestream"}, "dns.subdomain"=>"my.salesforce.com", "Flags"=>{"AuthoritativeAnswer"=>"False", "RecursionAvailable"=>"True", "TruncatedResponse"=>"False", "RecursionDesired"=>"True"}, "host"=>{"name"=>"KIKMRKSEC01"}, "packetIdentifier"=>"0000006C3EA11110", "responseCode"=>"NOERROR", "protocol"=>"UDP", "agent"=>{"ephemeral_id"=>"04c7ff0b-2de2-4c87-85fa-197a7f3e1d7f", "name"=>"KIKMRKSEC01", "version"=>"8.1.3", "type"=>"filebeat", "id"=>"8121e146-08af-4ca8-9cb4-1bcfefe696ec"}, "remoteIP"=>"172.20.6.4", "context"=>"PACKET", "ecs"=>{"version"=>"8.0.0"}, "dns.TLD"=>"com", "direction"=>"Snd", "flagsHex"=>"8081", "log"=>{"file"=>{"path"=>"D:\\logs\\dnslog\\dns.log"}, "offset"=>18816}, "dns.questionName"=>"westlakechemical.my.salesforce.com", "tags"=>["beats_input_codec_plain_applied"], "event"=>{}, "xid"=>"0559", "dns.questionType"=>"A", "dns.domainname"=>"salesforce", "dns.domain"=>"salesforce.com", "queryResponse"=>"Response", "flags"=>"DR ", "opcode"=>"Standard Query", "@version"=>"1", "@timestamp"=>2022-05-26T14:57:09Z, "treadId"=>"1A00", "data_stream"=>{"type"=>"logs", "dataset"=>"dns", "namespace"=>"default"}}], :error=>{"type"=>"null_pointer_exception", "reason"=>"Cannot invoke \"String.length()\" because \"str\" is null"}}

Current config is

filter{
	if "dnslog" in [log][file][path] {
		grok {
			patterns_dir => ["/etc/logstash/patterns"]
			match => { "message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:treadId}\s+%{WORD:context}\s+%{DATA:packetIdentifier}\s+%{WORD:protocol}\s+%{WORD:direction}\s+%{IP:remoteIP}\s+%{BASE16NUM:xid}\s+(%{WORD:queryResponse})?\s+%{DATA:opcode}\s+\[%{BASE16NUM:flagsHex}\s+%{GREEDYDATA:flags}\s+%{WORD:responseCode}\]\s+(%{WORD:dns.questionType}\s+)?(%{GREEDYDATA:dns.questionName})?"}
		}
	### parse timestamp
		date { match => [ "[timestamp]", "M/dd/YYYY hh:mm:ss a" ] }
	### parse query/response type	
		if [queryResponse] == "R" {
			mutate {update => { "queryResponse" => "Response" }}
		}
		else {
			mutate {add_field => {"queryResponse" => "Query"}}
		}
	### parse opcode		
		if [opcode] == "Q" {
			mutate {update => { "opcode" => "Standard Query" }}
		} else if  [opcode] == "N" {
			mutate {update => { "opcode" => "Notify" }}
		} else if  [opcode] == "U" {
			mutate {update => { "opcode" => "Update" }}
		} else if  [opcode] == "?" {
			mutate {update => { "opcode" => "Unknown" }}
		}
	### parse flags	
		if "A" in [flags] {
			mutate {add_field => {"[Flags][AuthoritativeAnswer]" => True}}
		} else {
			mutate {add_field => {"[Flags][AuthoritativeAnswer]" => False}}
		}
		if "T" in [flags] {
			mutate {add_field => {"[Flags][TruncatedResponse]" => True}}
		} else {
			mutate {add_field => {"[Flags][TruncatedResponse]" => False}}
		}
		if "D" in [flags] {
			mutate {add_field => {"[Flags][RecursionDesired]" => True}}
		} else {
			mutate {add_field => {"[Flags][RecursionDesired]" => False}}
		}
		if "R" in [flags] {
			mutate {add_field => {"[Flags][RecursionAvailable]" => True}}
		} else {
			mutate {add_field => {"[Flags][RecursionAvailable]" => False}}
		}
	### parse dns question name
		mutate {
			gsub => [                                     #(4)maps(17)google(5)com(0)
			  "dns.questionName", "^\s*", "",			#remove leading space
			  "dns.questionName", "\s*$", "",			#remove tailing space
			  "dns.questionName", "^\(\d+\)", "",		#remove leading (xx)
			  "dns.questionName", "\(\d\)$", "",		#remove tailing (xx)
			  "dns.questionName", "\(\d+\)", "."		#replace (xx) with .
			]
			lowercase => ["dns.questionName"]
		}	
		if [dns.questionName] {
			if "." in [dns.questionName] {
				grok {
					match => { "dns.questionName" => "(((.*)\.)?(?<dns.subdomainname>.*)\.)?(?<dns.domainname>.*)\.(?<dns.TLD>\w+$)"}
				}
				mutate {
					add_field => {"[dns.domain]" => "%{dns.domainname}.%{dns.TLD}"}
				}
				if [dns.subdomainname] {
					mutate {
						add_field => {"[dns.subdomain]" => "%{dns.subdomainname}.%{dns.domainname}.%{dns.TLD}"}
					}
				}
		  } else {
			mutate { add_field => {"[dns][TLD]" => "%{dns.questionName}"} }
		  }
		}			
	}
}

Please advise.

If you look in the Elasticsearch log there should be a stacktrace when Elasticsearch generates that response to logstash.

I found something like this.

[2022-05-26T13:43:36,828][WARN ][o.e.t.OutboundHandler    ] [mrkes01] failed to serialize outbound message [Response{30521395}{false}{false}{false}{class org.elasticsearch.action.admin.indices.create.CreateIndexResponse}]
java.lang.NullPointerException: Cannot invoke "String.length()" because "str" is null
	at org.elasticsearch.common.io.stream.StreamOutput.writeString(StreamOutput.java:390) ~[elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.admin.indices.create.CreateIndexResponse.writeTo(CreateIndexResponse.java:63) ~[elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.transport.OutboundMessage.serialize(OutboundMessage.java:70) ~[elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.transport.OutboundHandler.sendMessage(OutboundHandler.java:170) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.transport.OutboundHandler.sendResponse(OutboundHandler.java:145) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.transport.TcpTransportChannel.sendResponse(TcpTransportChannel.java:57) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.transport.TaskTransportChannel.sendResponse(TaskTransportChannel.java:41) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.support.ChannelActionListener.onResponse(ChannelActionListener.java:38) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.support.ChannelActionListener.onResponse(ChannelActionListener.java:19) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$2(SecurityActionFilter.java:169) [x-pack-security-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:219) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.ActionListener$DelegatingActionListener.onResponse(ActionListener.java:186) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.admin.indices.create.AutoCreateAction$TransportAction.lambda$masterOperation$1(AutoCreateAction.java:151) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.support.ActiveShardsObserver.waitForActiveShards(ActiveShardsObserver.java:68) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.admin.indices.create.AutoCreateAction$TransportAction.lambda$masterOperation$2(AutoCreateAction.java:147) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:136) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.cluster.AckedClusterStateUpdateTask.onAllNodesAcked(AckedClusterStateUpdateTask.java:59) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.cluster.service.MasterService$SafeAckedClusterStateTaskListener.onAllNodesAcked(MasterService.java:661) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.cluster.service.MasterService$TaskOutputs.lambda$notifySuccessfulTasksOnUnchangedClusterState$4(MasterService.java:545) [elasticsearch-8.1.3.jar:8.1.3]
	at java.util.ArrayList.forEach(ArrayList.java:1511) [?:?]
	at org.elasticsearch.cluster.service.MasterService$TaskOutputs.notifySuccessfulTasksOnUnchangedClusterState(MasterService.java:542) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.cluster.service.MasterService.runTasks(MasterService.java:244) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.cluster.service.MasterService$Batcher.run(MasterService.java:162) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.cluster.service.TaskBatcher.runIfNotProcessed(TaskBatcher.java:152) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.cluster.service.TaskBatcher$BatchedTask.run(TaskBatcher.java:208) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:717) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:260) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:223) [elasticsearch-8.1.3.jar:8.1.3]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
	at java.lang.Thread.run(Thread.java:833) [?:?]
[2022-05-26T13:43:37,434][WARN ][o.e.t.OutboundHandler    ] [mrkes01] failed to serialize outbound message [Response{30521478}{false}{false}{false}{class org.elasticsearch.action.admin.indices.create.CreateIndexResponse}]
java.lang.NullPointerException: Cannot invoke "String.length()" because "str" is null
	at org.elasticsearch.common.io.stream.StreamOutput.writeString(StreamOutput.java:390) ~[elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.admin.indices.create.CreateIndexResponse.writeTo(CreateIndexResponse.java:63) ~[elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.transport.OutboundMessage.serialize(OutboundMessage.java:70) ~[elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.transport.OutboundHandler.sendMessage(OutboundHandler.java:170) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.transport.OutboundHandler.sendResponse(OutboundHandler.java:145) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.transport.TcpTransportChannel.sendResponse(TcpTransportChannel.java:57) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.transport.TaskTransportChannel.sendResponse(TaskTransportChannel.java:41) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.support.ChannelActionListener.onResponse(ChannelActionListener.java:38) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.support.ChannelActionListener.onResponse(ChannelActionListener.java:19) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$2(SecurityActionFilter.java:169) [x-pack-security-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:219) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.ActionListener$DelegatingActionListener.onResponse(ActionListener.java:186) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.admin.indices.create.AutoCreateAction$TransportAction.lambda$masterOperation$1(AutoCreateAction.java:151) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.support.ActiveShardsObserver.waitForActiveShards(ActiveShardsObserver.java:68) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.admin.indices.create.AutoCreateAction$TransportAction.lambda$masterOperation$2(AutoCreateAction.java:147) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:136) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.cluster.AckedClusterStateUpdateTask.onAllNodesAcked(AckedClusterStateUpdateTask.java:59) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.cluster.service.MasterService$SafeAckedClusterStateTaskListener.onAllNodesAcked(MasterService.java:661) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.cluster.service.MasterService$TaskOutputs.lambda$notifySuccessfulTasksOnUnchangedClusterState$4(MasterService.java:545) [elasticsearch-8.1.3.jar:8.1.3]
	at java.util.ArrayList.forEach(ArrayList.java:1511) [?:?]
	at org.elasticsearch.cluster.service.MasterService$TaskOutputs.notifySuccessfulTasksOnUnchangedClusterState(MasterService.java:542) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.cluster.service.MasterService.runTasks(MasterService.java:244) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.cluster.service.MasterService$Batcher.run(MasterService.java:162) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.cluster.service.TaskBatcher.runIfNotProcessed(TaskBatcher.java:152) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.cluster.service.TaskBatcher$BatchedTask.run(TaskBatcher.java:208) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:717) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:260) [elasticsearch-8.1.3.jar:8.1.3]
	at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:223) [elasticsearch-8.1.3.jar:8.1.3]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
	at java.lang.Thread.run(Thread.java:833) [?:?]

You tagged this as a logstash question. You should re-tag it so that it moves over to the Elasticsearch forum.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.