Hi,
I have winlogbeat sending data via logstash to elasticsearch from a Windows 10 box.
In Kibana I get
Type illegal_argument_exception
Reason Field [winlog.event_data.ProcessCreationTime] of type [keyword] does not support custom formats
What can I do about this?
By the way, data before 7th of May, including 6th of May, can be accessed without this issue, all dates after causes this error.
Best regards,
Robert
Hi,
I just found out, that the index mapping differs for the indices with "ProcessCreationTime" present in one, but not the others:
> diff.exe winlogbeat-7.7.0-2020.06.03 winlogbeat-7.7.0-2020.05.03
3244c3244
< "AdapterName": {
---
> "AccessMask": {
3247,3250c3247
< "AdapterSuffixName": {
< "type": "keyword"
< },
< "Address": {
---
> "AdapterName": {
3253c3250
< "AddressLength": {
---
> "AdapterSuffixName": {
3256c3253
< "Attributes": {
---
> "AlgorithmName": {
3263,3265d3259
< "AverageResume": {
< "type": "keyword"
< },
3270,3272d3263
< "BiosInitDuration": {
< "type": "keyword"
< },
3285,3287d3275
< "BufferSize": {
< "type": "keyword"
< },
3291a3280,3285
> "CallerProcessId": {
> "type": "keyword"
> },
> "CallerProcessName": {
> "type": "keyword"
> },
3295c3289,3292
< "CheckpointDuration": {
---
> "ClientCreationTime": {
> "type": "keyword"
> },
> "ClientProcessId": {
3308a3306,3308
> "CountOfCredentialsReturned": {
> "type": "keyword"
> },
3344,3346d3343
< "DirtyPages": {
< "type": "keyword"
< },
3357,3359d3353
< "DriverInitDuration": {
< "type": "keyword"
< },
3372c3366
< "EffectiveState": {
---
> "ElevatedToken": {
3382c3376
< "ErrorMessage": {
---
> "ErrorDescription": {
3385,3387c3379,3380
< "ExtraInfo": {
< "type": "keyword",
< "ignore_above": 1024
---
> "ErrorMessage": {
> "type": "keyword"
3389c3382
< "ExtraString": {
---
> "ExtensionId": {
3392c3385
< "ExtraStringLength": {
---
> "ExtensionName": {
3394a3388,3391
> "ExtraInfo": {
> "type": "keyword",
> "ignore_above": 1024
> },
3407,3418d3403
< "FilesCachedFirstPass": {
< "type": "keyword"
< },
< "FilesMissedSecondPass": {
< "type": "keyword"
< },
< "FilesResident": {
< "type": "keyword"
< },
< "FilesScoped": {
< "type": "keyword"
< },
3423c3408
< "FullResume": {
---
> "Flags": {
3430,3442c3415
< "HiberPagesWritten": {
< "type": "keyword"
< },
< "HiberReadDuration": {
< "type": "keyword"
< },
< "HiberWriteDuration": {
< "type": "keyword"
< },
< "HiveName": {
< "type": "keyword"
< },
< "HiveNameLength": {
---
> "HandleId": {
3450a3424,3426
> "Identity": {
> "type": "keyword"
> },
3467,3469d3442
< "InternalCode": {
< "type": "keyword"
< },
3480a3454,3456
> "KeyFilePath": {
> "type": "keyword"
> },
3485c3461,3464
< "KeysUpdated": {
---
> "KeyName": {
> "type": "keyword"
> },
> "KeyType": {
3496,3498d3474
< "Library": {
< "type": "keyword"
< },
3522a3499,3501
> "MandatoryLabel": {
> "type": "keyword"
> },
3553,3555d3531
< "NTSTATUS": {
< "type": "keyword"
< },
3568,3570d3543
< "NewSize": {
< "type": "keyword"
< },
3575,3577d3547
< "NoMultiStageResumeReason": {
< "type": "keyword"
< },
3585a3556,3567
> "NumberOfGroupPolicyObjects": {
> "type": "keyword"
> },
> "ObjectName": {
> "type": "keyword"
> },
> "ObjectServer": {
> "type": "keyword"
> },
> "ObjectType": {
> "type": "keyword"
> },
3593a3576,3578
> "Operation": {
> "type": "keyword"
> },
3598,3600d3582
< "OriginalSize": {
< "type": "keyword"
< },
3627c3609
< "ProcessID": {
---
> "ProcessCreationTime": {
3655a3638,3640
> "ProviderName": {
> "type": "keyword"
> },
3668c3653
< "QueryName": {
---
> "ReadOperation": {
3678c3663
< "RequiredSize": {
---
> "Resource": {
3681c3666
< "ResumeCount": {
---
> "RestrictedAdminMode": {
3687c3672,3678
< "RmId": {
---
> "ReturnCode": {
> "type": "keyword"
> },
> "Schema": {
> "type": "keyword"
> },
> "SchemaFriendlyName": {
3736,3753d3726
< "SleepDuration": {
< "type": "keyword"
< },
< "SleepTime": {
< "type": "keyword"
< },
< "SnapshotPath": {
< "type": "keyword"
< },
< "SourceFileID": {
< "type": "keyword"
< },
< "SourceLine": {
< "type": "keyword"
< },
< "SourceTag": {
< "type": "keyword"
< },
3792,3797d3764
< "SuspendEnd": {
< "type": "keyword"
< },
< "SuspendStart": {
< "type": "keyword"
< },
3809a3777,3779
> "TargetLinkedLogonId": {
> "type": "keyword"
> },
3817a3788,3796
> "TargetName": {
> "type": "keyword"
> },
> "TargetOutboundDomainName": {
> "type": "keyword"
> },
> "TargetOutboundUserName": {
> "type": "keyword"
> },
3822c3801
< "TargetState": {
---
> "TargetSid": {
3837c3816
< "TmId": {
---
> "TimeProvider": {
3844,3849d3822
< "TotalDirectories": {
< "type": "keyword"
< },
< "TotalFiles": {
< "type": "keyword"
< },
3856a3830,3832
> "Type": {
> "type": "keyword"
> },
3861,3863d3836
< "Username": {
< "type": "keyword"
< },
3868,3886c3841
< "VolumeName": {
< "type": "keyword"
< },
< "WakeDuration": {
< "type": "keyword"
< },
< "WakeSourceTextLength": {
< "type": "keyword"
< },
< "WakeSourceType": {
< "type": "keyword"
< },
< "WakeTime": {
< "type": "keyword"
< },
< "WakeTimerContextLength": {
< "type": "keyword"
< },
< "WakeTimerOwnerLength": {
---
> "VirtualAccount": {
3903,3908d3857
< "param12": {
< "type": "keyword"
< },
< "param13": {
< "type": "keyword"
< },
3939,3950d3887
< },
< "serviceGuid": {
< "type": "keyword"
< },
< "updateGuid": {
< "type": "keyword"
< },
< "updateRevisionNumber": {
< "type": "keyword"
< },
< "updateTitle": {
< "type": "keyword"
3961a3899,3910
> "logon": {
> "properties": {
> "id": {
> "type": "keyword",
> "ignore_above": 1024
> },
> "type": {
> "type": "keyword",
> "ignore_above": 1024
> }
> }
> },
4022,4024d3970
< "Name": {
< "type": "keyword"
< },
What causes this? How to repair this and prevent further problems?
Where do you see this error at? What action were you doing when it happens?
The fields under winlog.event_data.* will all have a mapping type of keyword if the index template from Winlogbeat was installed properly.
These winlog.event_data.* are not all know apriori since any event can establish its own parameter names. But the data will always be mapped to a keyword.
If it's an issue with a Kibana index pattern not knowing about a particular winlog.event_data field then you can refresh the Kibana index pattern to pick up any new fields from the index mappings.
I see it everytime I try to access a winlogbeat index.
This doesn't seem to work properly.
I'll try that and report back.
Best regards,
Robert
Hi,
refreshing the Kibana index pattern solved the problem.
Best regards,
Robert
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.