I recently installed a single instance of Winlogbeat 7.5.0 on a host to test log ingestion from the 7.5.0 beater version into Logstash and then into our production Elasticsearch environment. Our Elastic environment is on version 7.4.2, and beaters are still on 6.7.1.
Log data makes it into Elasticsearch and can be browsed in Kibana under Discover. However, the following warning is repeatedly shown in the Logstash server logs.
[2020-01-06T00:14:33,307][WARN ][logstash.outputs.elasticsearch][winlogbeat-dc] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"winlogbeat-7.5.0-dc-um", :_type=>"_doc", :routing=>nil}, #LogStash::Event:0x20a5bb71], :response=>{"index"=>{"_index"=>"winlogbeat-7.5.0-dc-um-2020.01.02-000001", "_type"=>"_doc", "_id"=>"J2x9eW8BIofUioNWniFB", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Cannot write to a field alias [user.domain]."}}}}}
Is there a way to fix resolve\clear this warning message or did I stumble across a bug?
The shipped Winlogbeat-7.5.0 template is loaded into Elasticsearch, and it does match the index pattern outlined in the provided warning message. The Winlogbeat-7.5.0 template lists user.domain as an alias of winlog.user.domain.
For what it is worth, this line is enabled in the Winlogbeat 7.5.0 .yml file:
migration.6_to_7.enabled: true