Cannot write to a field alias [user.domain]

I recently installed a single instance of Winlogbeat 7.5.0 on a host to test log ingestion from the 7.5.0 beater version into Logstash and then into our production Elasticsearch environment. Our Elastic environment is on version 7.4.2, and beaters are still on 6.7.1.
Log data makes it into Elasticsearch and can be browsed in Kibana under Discover. However, the following warning is repeatedly shown in the Logstash server logs.

[2020-01-06T00:14:33,307][WARN ][logstash.outputs.elasticsearch][winlogbeat-dc] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"winlogbeat-7.5.0-dc-um", :_type=>"_doc", :routing=>nil}, #LogStash::Event:0x20a5bb71], :response=>{"index"=>{"_index"=>"winlogbeat-7.5.0-dc-um-2020.01.02-000001", "_type"=>"_doc", "_id"=>"J2x9eW8BIofUioNWniFB", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Cannot write to a field alias [user.domain]."}}}}}

Is there a way to fix resolve\clear this warning message or did I stumble across a bug?

The shipped Winlogbeat-7.5.0 template is loaded into Elasticsearch, and it does match the index pattern outlined in the provided warning message. The Winlogbeat-7.5.0 template lists user.domain as an alias of winlog.user.domain.

For what it is worth, this line is enabled in the Winlogbeat 7.5.0 .yml file:
migration.6_to_7.enabled: true

This is beginning to look like a winlogbeat bug.

The winlogbeat-7.5.0 template was loaded with

migration.6_to_7.enabled: true

which created field aliases including user.domain.

Data is being sent via logstash, testing with rubydebug verifies that these fields are being sent by winlogbeat

"user" => {
"domain" => "VALUE",
"name" => "NAME",
"ID" => "STUFF"

I think winlogbeat should be sending these as an object in the winlog object. As is, it causes the reported error.

Loading the template without migration.6_to_7.enabled eliminates the error, but the fields ARE stored as user.domain etc, which isn't correct for ECS.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.