bropid
December 10, 2021, 8:10am
1
Hi, i'm try to parse the ngfw event with logstash in tcp port 5000 to Elasticsearch but the logstash-plain.log always said:
"status"=>400, "error"=>{"type"=>"ma pper_parsing_exception", "reason"=>"object mapping for [host] tried to parse fie ld [host] as object, but found a concrete value"
my logstash config is:
input {
tcp {
port => 5000
codec => cef {
delimiter => "\n"
ecs_compatibility => v1
}
}
}
output {
elasticsearch {
hosts => "<my ip>:9200"
user => "elastic"
password => "<mypass>"
index => "ngfw"
ecs_compatibility => disabled
}
}
What should i do to make the event show in kibana?
bropid
December 10, 2021, 12:01pm
2
This is the example on of the logs:
[2021-12-10T11:18:05,919][WARN ][logstash.outputs.elasticsearch][main][191a48d708ce268260e394dcd10fa3216c216c4b3e54757d7b36c439b470dd20] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"ngfw", :routing=>nil}, {"observer"=>{"name"=>"xx node 1", "ip"=>"xx", "product"=>"Firewall", "version"=>"6.9.0", "vendor"=>"xx", "ingress"=>{"interface"=>{"name"=>"12"}}, "hostname"=>"xx"}, "destination"=>{"ip"=>"xx", "port"=>"62912"}, "source"=>{"ip"=>"xx", "port"=>"21694"}, "host"=>"xx", "@version"=>"1", "@timestamp"=>2021-12-10T18:18:03.000Z, "port"=>36616, "log"=>{"syslog"=>{"facility"=>{"code"=>"Packet Filtering"}}}, "cef"=>{"name"=>"Connection_Discarded", "version"=>"<6>CEF:0", "device_custom_string_1"=>{"label"=>"RuleID", "value"=>"21.0"}}, "network"=>{"protocol"=>"UDP/62912", "transport"=>"17"}, "event"=>{"action"=>"Discard", "severity"=>"0", "code"=>"70019"}}], :response=>{"index"=>{"_index"=>"ngfw", "_type"=>"_doc", "_id"=>"lO8QpH0Bx0dBNubZhZ1Z", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [host] tried to parse field [host] as object, but found a concrete value"}}}}
system
January 7, 2022, 4:53pm
4
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.