Hi,
I'm having warning to ingest data to Data Stream from winlogbeat > logstash then output to Elasticsearch.
Below is the warning message, any one can assist me? what should I do to resolve it?
Apr 19 21:34:10 z3lynx-logs-02 logstash[47910]: [2022-04-19T21:34:10,723][WARN ][logstash.outputs.elasticsearch][main][0a7212f931cbeda2c2d8a0b7cfa39e757359a378bb5b2ce2811861c717a414f8] Could not index event to Elasticsearch.
{:status=>400, :action=>["index", {:_id=>nil, :_index=>"winlogbeat-8.1.2-2022.04.19", :routing=>nil}, {"@version"=>"1", "@timestamp"=>2022-04-19T13:34:17.950Z, "winlog"=>{"process"=>{"thread"=>{"id"=>4776}, "pid"=>4}, "keywords"=>["Audit Success"], "opcode"=>"Info", "api"=>"wineventlog", "provider_guid"=>"{54849625-5478-4994-A5BA-3E3B0328C30D}",
"task"=>"Filtering Platform Connection", "provider_name"=>"Microsoft-Windows-Security-Auditing", "event_id"=>"5156", "record_id"=>323167969, "computer_name"=>"zeus01.my.internal", "version"=>1, "event_data"=>{"RemoteMachineID"=>"S-1-0-0", "DestAddress"=>"10.1.4.1",
"ProcessID"=>"2484", "LayerName"=>"%%14610", "Direction"=>"%%14592", "FilterRTID"=>"0", "DestPort"=>"53", "SourcePort"=>"45803", "Application"=>"\\device\\harddiskvolume2\\windows\\system32\\dns.exe",
"SourceAddress"=>"10.1.4.11", "Protocol"=>"17", "LayerRTID"=>"44", "RemoteUserID"=>"S-1-0-0"}, "channel"=>"Security"}, "agent"=>{"version"=>"8.1.2", "id"=>"2d8c24dd-1d21-4a30-ade1-725eff0873c8", "ephemeral_id"=>"d4e5ad47-6830-4130-af16-fe2113f0548c", "type"=>"winlogbeat", "name"=>"zeus01"}, "event"=>{"kind"=>"event",
"original"=>"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2484\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dns.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t10.1.4.11\n\tSource Port:\t\t45803\n\tDestination Address:\t10.1.4.1\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44",
"created"=>"2022-04-19T13:34:19.292Z", "action"=>"Filtering Platform Connection", "provider"=>"Microsoft-Windows-Security-Auditing", "outcome"=>"success", "code"=>"5156"},
"host"=>{"id"=>"0d16da59-b137-4ce2-be39-d10604f23521", "ip"=>["10.1.4.1", "fe80::5efe:a01:401"], "name"=>"zeus01.my.internal", "mac"=>["00:50:56:89:ba:9a", "00:00:00:00:00:00:00:e0"], "hostname"=>"zeus01", "os"=>{"version"=>"10.0", "type"=>"windows", "name"=>"Windows Server 2016 Datacenter", "build"=>"14393.4825", "platform"=>"windows", "kernel"=>"10.0.14393.4825 (rs1_release.211202-1611)", "family"=>"windows"},
"architecture"=>"x86_64"}, "message"=>"The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t2484\n\tApplication Name:\t\\device\\harddiskvolume2\\windows\\system32\\dns.exe\n\nNetwork Information:\n\tDirection:\t\tInbound\n\tSource Address:\t\t10.1.4.11\n\tSource Port:\t\t45803\n\tDestination Address:\t10.1.4.1\n\tDestination Port:\t\t53\n\tProtocol:\t\t17\n\nFilter Information:\n\tFilter Run-Time ID:\t0\n\tLayer Name:\t\tReceive/Accept\n\tLayer Run-Time ID:\t44",
"log"=>{"level"=>"information"}, "tags"=>["beats_input_codec_plain_applied"], "ecs"=>{"version"=>"8.0.0"}}], :response=>{"index"=>{"_index"=>"winlogbeat-8.1.2-2022.04.19", "_id"=>nil, "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"only write ops with an op_type of create are allowed in data streams"}}}}
"reason"=>"only write ops with an op_type of create are allowed in data streams"}}}}