Error in threshold rules when using ECS


The following error occurs when the rule is running.
Please help me understand the reason

Bulk Indexing of signals failed: Could not dynamically add mapping for field [source.ip.keyword]. Existing mapping for [source.ip] must be of type object but found [ip]. name: "portal_401_auth_url" id: "a6a383a0-5120-11ec-8c9b-252e6168d6fb" rule id: "966a2a33-84a6-4d54-bc12-334542b02c9b" signals index: ".siem-signals-default" 
GET /fortiweb-logs-2021.12/_mapping/field/source.ip
  "fortiweb-logs-2021.12" : {
    "mappings" : {
      "source.ip" : {
        "full_name" : "source.ip",
        "mapping" : {
          "ip" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256

I used rename to align with ECS:

rename => {
"syslog5424_pri" => "[log][syslog][priority]"
"[device_id]"=> "[observer][serial_number]"
"[log_id]"=> "[event][code]"
"[msg_id]"=> "[event][sequence]"
"[msg]"=> "[message]"
"[policy]"=> "[rule][ruleset]"
"[action]"=> "[event][action]"
"[cipher_suite]"=> "[tls][cipher]"
"[dst]"=> "[destination][ip]"
"[http_agent]"=> "[user_agent][original]"
"[http_host]"=> "[url][domain]"
"[http_method]"=> "[http][request][method]"
"[http_refer]"=> "[http][request][referrer]"
"[http_request_bytes]"=> "[http][request][bytes]"
"[http_request_time]"=> "[http][request][duration]"
"[http_response_bytes]"=> "[http][response][bytes]"
"[http_response_time]"=> "[http][response][duration]"
"[http_retcode]"=> "[http][response][status_code]"
"[http_url]"=> "[url][path]"
"[http_version]"=> "[http][version]"
"[protocol]"=> "[network][transport]"
"[reason]"=> "[event][reason]"
"[service]"=> "[network][protocol]"
"[signature_cve_id]"=> "[vulnerability][id]"
"[src_ip]"=> "[source][ip]"
"[source_port]"=> "[source][port]"
"[threat_level]"=> "[vulnerability][severity]"
"[user]"=> "[user][name]"
"[timezone]"=> "[event][timezone]"
"[username]"=> "[user][name]"
"[log_level]"=> "[log][level]"
"[destinastion_port]"=> "[destination][port]"
"[dst_ip]"=> "[destination][ip]"
"[original_src_country]"=> "[geo][country_name]"
"[http_user_agent]"=> "[user_agent][original]"
"[http_retry_code]"=> "[http][response][status_code]"

Welcome to our community! :smiley:

It means you have something that is inserting an object and not a keyword. You might need to find out where that is coming from.


Tell me how you can determine who is doing this. The source of the data is only logstash. I apologize for the possibly stupid questions. I am just starting to use elastic.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.