Error while installing the index - unsupported parameters

Ahana_Ambshri · June 25, 2019, 7:45pm

Hi,

I am following https://github.com/sm-biz/paloalto-elasticstack-viz/wiki tutorial to import PA traffic to my kibana. While trying to install the index "curl -XPUT http://x.x.x.x:9200/_template/panos-threat?pretty -H 'Content-Type: application/json' -d @threat_template_mapping-v1.json", I am getting the following error. I am not sure what exactly is unsupported as it's giving everything as unsupported.

{
 "error" : {
"root_cause" : [
  {
    "type" : "mapper_parsing_exception",
    "reason" : "Root mapping definition has unsupported parameters:  [default : {properties={RepeatCount={type=long}, Miscellaneous={type=text, fields={keyword={ignore_above=256, type=keyword}}}, ContentType={type=text, fields={keyword={ignore_above=256, type=keyword}}}, ReportID={type=long}, type={type=text, fields={keyword={ignore_above=256, type=keyword}}}, DestinationPort={type=integer}, GeneratedTime={format=yyyy/MM/dd HH:mm:ss||yyyy/MM/dd||epoch_millis, type=date}, path={type=text, fields={keyword={ignore_above=256, type=keyword}}}, SourceZone={type=text, fields={keyword={ignore_above=256, type=keyword}}}, HTTPMethod={type=text, fields={keyword={ignore_above=256, type=keyword}}}, PCAP_ID={type=integer}, SequenceNumber={type=long}, TunnelID_IMSI={type=long}, host={type=text, fields={keyword={ignore_above=256, type=keyword}}}, NATSourceIP={type=ip}, DestinationLocation={type=text, fields={keyword={ignore_above=256, type=keyword}}}, NATDestinationPort={type=integer}, RuleName={type=text, fields={keyword={ignore_above=256, type=keyword}}}, syslog_host={type=text, fields={keyword={ignore_above=256, type=keyword}}}, MonitorTag_IMEI={type=text, fields={keyword={ignore_above=256, type=keyword}}}, URLIndex={type=text, fields={keyword={ignore_above=256, type=keyword}}}, DestinationIPGeo={properties={timezone={type=text, fields={keyword={ignore_above=256, type=keyword}}}, ip={type=ip}, latitude={type=half_float}, continent_code={type=text, fields={keyword={ignore_above=256, type=keyword}}}, city_name={type=text, fields={keyword={ignore_above=256, type=keyword}}}, country_code2={type=text, fields={keyword={ignore_above=256, type=keyword}}}, country_name={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dma_code={type=short}, country_code3={type=text, fields={keyword={ignore_above=256, type=keyword}}}, location={type=geo_point}, region_name={type=text, fields={keyword={ignore_above=256, type=keyword}}}, postal_code={type=text, fields={keyword={type=short}}}, longitude={type=half_float}, region_code={type=text, fields={keyword={ignore_above=256, type=keyword}}}}}, Recipient={type=text, fields={keyword={ignore_above=256, type=keyword}}}, tags={type=text, fields={keyword={ignore_above=256, type=keyword}}}, Sender={type=text, fields={keyword={ignore_above=256, type=keyword}}}, DeviceGroupHierarchyLevel4={type=short}, DeviceGroupHierarchyLevel3={type=short}, LogForwardingProfile={type=text, fields={keyword={ignore_above=256, type=keyword}}}, SerialNumber={type=text, fields={keyword={ignore_above=256, type=keyword}}}, DeviceGroupHierarchyLevel2={type=short}, SourceUser={type=text, fields={keyword={ignore_above=256, type=keyword}}}, DeviceGroupHierarchyLevel1={type=short}, SourceVMUUID={type=text, fields={keyword={ignore_above=256, type=keyword}}}, ParentStartTime={format=yyyy/MM/dd HH:mm:ss||yyyy/MM/dd||epoch_millis, type=date}, ReceiveTime={format=yyyy/MM/dd HH:mm:ss||yyyy/MM/dd||epoch_millis, type=date}, ActionFlags={type=text, fields={keyword={ignore_above=256, type=keyword}}}, DestinationZone={type=text, fields={keyword={ignore_above=256, type=keyword}}}, Application={type=text, fields={keyword={ignore_above=256, type=keyword}}}, SessionID={type=long}, NATSourcePort={type=integer}, SourceLocation={type=text, fields={keyword={ignore_above=256, type=keyword}}}, VirtualSystem={type=text, fields={keyword={ignore_above=256, type=keyword}}}, Action={type=text, fields={keyword={ignore_above=256, type=keyword}}}, Category={type=text, fields={keyword={ignore_above=256, type=keyword}}}, VirtualSystemName={type=text, fields={keyword={ignore_above=256, type=keyword}}}, InboundInterface={type=text, fields={keyword={ignore_above=256, type=keyword}}}, ParentSessionID={type=integer}, SourcePort={type=integer}, Direction={type=text, fields={keyword={ignore_above=256, type=keyword}}}, URLCategory={type=text, fields={keyword={ignore_above=256, type=keyword}}}, OutboundInterface={type=text, fields={keyword={ignore_above=256, type=keyword}}}, ThreatCategory={type=text, fields={keyword={ignore_above=256, type=keyword}}}, SourceIP={type=ip}, ContentVersion={type=text, fields={keyword={ignore_above=256, type=keyword}}}, @version={type=byte}, SourceIPGeo={properties={timezone={type=text, fields={keyword={ignore_above=256, type=keyword}}}, ip={type=ip}, latitude={type=half_float}, continent_code={type=text, fields={keyword={ignore_above=256, type=keyword}}}, city_name={type=text, fields={keyword={ignore_above=256, type=keyword}}}, country_code2={type=text, fields={keyword={ignore_above=256, type=keyword}}}, country_name={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dma_code={type=long}, country_code3={type=text, fields={keyword={ignore_above=256, type=keyword}}}, location={type=geo_point}, region_name={type=text, fields={keyword={ignore_above=256, type=keyword}}}, postal_code={type=text, fields={keyword={ignore_above=256, type=keyword}}}, longitude={type=half_float}, region_code={type=text, fields={keyword={ignore_above=256, type=keyword}}}}}, UserAgent={type=text, fields={keyword={ignore_above=256, type=keyword}}}, Protocol={type=text, fields={keyword={ignore_above=256, type=keyword}}}, Threat_ContentType={type=text, fields={keyword={ignore_above=256, type=keyword}}}, DestinationUser={type=text, fields={keyword={ignore_above=256, type=keyword}}}, FUTURE_USE={type=text, fields={keyword={ignore_above=256, type=keyword}}}, TunnelType={type=text, fields={keyword={ignore_above=256, type=keyword}}}, DestinationVMUUID={type=text, fields={keyword={ignore_above=256, type=keyword}}}, ThreatID={type=text, fields={keyword={ignore_above=256, type=keyword}}}, NATDestinationIP={type=ip}, Referer={type=text, fields={keyword={ignore_above=256, type=keyword}}}, Severity={type=text, fields={keyword={ignore_above=256, type=keyword}}}, Flags={type=text, fields={keyword={ignore_above=256, type=keyword}}}, Subject={type=text, fields={keyword={ignore_above=256, type=keyword}}}, DestinationIP={type=ip}, Type={type=text, fields={keyword={ignore_above=256, type=keyword}}}, @timestamp={type=date}, FileType={type=text, fields={keyword={ignore_above=256, type=keyword}}}, Cloud={type=text, fields={keyword={ignore_above=256, type=keyword}}}, X-Forwarded-For={type=ip}, FileDigest={type=text, fields={keyword={ignore_above=256, type=keyword}}}, DeviceName={type=text, fields={keyword={ignore_above=256, type=keyword}}}}}]"
  }
],
},
 "status" : 400
}

I am using the latest ELK stack.

abdon · June 26, 2019, 3:18pm

It looks like that tutorial is for an older version of the Stack. In order for these templates to work with version 7, you need to delete line 8 from the json mapping files (the line "_default_" : { ), and also a line with a closing } curly bracket from the end of the file.

Ahana_Ambshri · June 28, 2019, 1:31pm

Thank you so much. Now I can successfully install the indexes

system · July 26, 2019, 1:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.