Hi all,
When parsing an XML, I have an error
"Can't merge a non object mapping [poc.ports.port.script.elem] with an object mapping [poc.ports.port.script.elem]"
Searching in the forum I found that the error appears when the document does not match the mapping in ES, but in my case mapping still do not exists.
How this is possible?
Thank you!
Regards
Ana
If you have both occurrences in the same document you will get a mapping error when Elasticsearch tries to create mappings for it. What does the document look like?
Hi Christian,
My document is a (simplified version) of an NMAP xml output.
The problem is when try to parse the second script element in port 443, but I don't know how to solve it.
Thanks a lot!
Regards
Ana
LS Conf (Filter)
filter {
xml { source => "message"
target => poc
xpath => ["host/address/@addr", ip]
xpath => ["host/status/@state", state]
xpath => ["host/status/@reason", reason]
}
if [message] =~ /^<host starttime/ {
split {
field => "[poc][ports][0][port]"
}
}
if [message] =~ /^<task/ {
drop { }
}
}
Document
<host starttime="1551225720" endtime="1551226381"><status state="up" reason="syn-ack" reason_ttl="0"/>
<address addr="x.y95.165" addrtype="ipv4"/>
<hostnames>
<hostname name="static-x-y-95-165.domain" type="PTR"/>
</hostnames>
<ports><extraports state="filtered" count="65528">
<extrareasons reason="no-responses" count="65528"/>
</extraports>
<port protocol="tcp" portid="25"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="smtp" product="Postfix smtpd" hostname=" FW_ENTERPRISE" method="probed" conf="10"><cpe>cpe:/a:postfix:postfix</cpe></service><script id="smtp-commands" output="FW_ENTERPRISE, SIZE, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, "/></port>
<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="http" product="Check Point NGX Firewall-1" method="probed" conf="10"><cpe>cpe:/a:checkpoint:firewall-1</cpe></service></port>
<port protocol="tcp" portid="264"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="fw1-topology" product="Check Point FireWall-1 Topology" devicetype="firewall" method="probed" conf="10"><cpe>cpe:/a:checkpoint:firewall-1</cpe></service></port>
<port protocol="tcp" portid="443"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="http" product="Connectra Check Point Web Security httpd" devicetype="security-misc" tunnel="ssl" method="probed" conf="10"><cpe>cpe:/a:checkpoint:connectra</cpe></service>
<script id="http-methods" output="
 Supported Methods: GET HEAD POST OPTIONS">
<table key="Supported Methods">
<elem>GET</elem>
<elem>HEAD</elem>
<elem>POST</elem>
<elem>OPTIONS</elem>
</table>
</script>
<script id="ssl-date" output="2019-02-27T00:12:30+00:00; -1s from scanner time.">
<elem key="date">2019-02-27T00:12:30+00:00</elem>
<elem key="delta">-1.0</elem>
</script>
</port>
<port protocol="tcp" portid="500"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="isakmp" method="table" conf="3"/></port>
<port protocol="tcp" portid="15001"><state state="closed" reason="conn-refused" reason_ttl="0"/><service name="unknown" method="table" conf="3"/></port>
</ports>
</host>© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.