Hi,
I have winlogbeat sending data via logstash to elasticsearch from a Windows 10 box.
In Kibana I get
Type illegal_argument_exception
Reason Field [winlog.event_data.ProcessCreationTime] of type [keyword] does not support custom formats
What can I do about this?
By the way, data before 7th of May, including 6th of May, can be accessed without this issue, all dates after causes this error.
Best regards,
Robert
Hi,
I just found out, that the index mapping differs for the indices with "ProcessCreationTime" present in one, but not the others:
> diff.exe winlogbeat-7.7.0-2020.06.03 winlogbeat-7.7.0-2020.05.03
3244c3244
< "AdapterName": {
---
> "AccessMask": {
3247,3250c3247
< "AdapterSuffixName": {
< "type": "keyword"
< },
< "Address": {
---
> "AdapterName": {
3253c3250
< "AddressLength": {
---
> "AdapterSuffixName": {
3256c3253
< "Attributes": {
---
> "AlgorithmName": {
3263,3265d3259
< "AverageResume": {
< "type": "keyword"
< },
3270,3272d3263
< "BiosInitDuration": {
< "type": "keyword"
< },
3285,3287d3275
< "BufferSize": {
< "type": "keyword"
< },
3291a3280,3285
> "CallerProcessId": {
> "type": "keyword"
> },
> "CallerProcessName": {
> "type": "keyword"
> },
3295c3289,3292
< "CheckpointDuration": {
---
> "ClientCreationTime": {
> "type": "keyword"
> },
> "ClientProcessId": {
3308a3306,3308
> "CountOfCredentialsReturned": {
> "type": "keyword"
> },
3344,3346d3343
< "DirtyPages": {
< "type": "keyword"
< },
3357,3359d3353
< "DriverInitDuration": {
< "type": "keyword"
< },
3372c3366
< "EffectiveState": {
---
> "ElevatedToken": {
3382c3376
< "ErrorMessage": {
---
> "ErrorDescription": {
3385,3387c3379,3380
< "ExtraInfo": {
< "type": "keyword",
< "ignore_above": 1024
---
> "ErrorMessage": {
> "type": "keyword"
3389c3382
< "ExtraString": {
---
> "ExtensionId": {
3392c3385
< "ExtraStringLength": {
---
> "ExtensionName": {
3394a3388,3391
> "ExtraInfo": {
> "type": "keyword",
> "ignore_above": 1024
> },
3407,3418d3403
< "FilesCachedFirstPass": {
< "type": "keyword"
< },
< "FilesMissedSecondPass": {
< "type": "keyword"
< },
< "FilesResident": {
< "type": "keyword"
< },
< "FilesScoped": {
< "type": "keyword"
< },
3423c3408
< "FullResume": {
---
> "Flags": {
3430,3442c3415
< "HiberPagesWritten": {
< "type": "keyword"
< },
< "HiberReadDuration": {
< "type": "keyword"
< },
< "HiberWriteDuration": {
< "type": "keyword"
< },
< "HiveName": {
< "type": "keyword"
< },
< "HiveNameLength": {
---
> "HandleId": {
3450a3424,3426
> "Identity": {
> "type": "keyword"
> },
3467,3469d3442
< "InternalCode": {
< "type": "keyword"
< },
3480a3454,3456
> "KeyFilePath": {
> "type": "keyword"
> },
3485c3461,3464
< "KeysUpdated": {
---
> "KeyName": {
> "type": "keyword"
> },
> "KeyType": {
3496,3498d3474
< "Library": {
< "type": "keyword"
< },
3522a3499,3501
> "MandatoryLabel": {
> "type": "keyword"
> },
3553,3555d3531
< "NTSTATUS": {
< "type": "keyword"
< },
3568,3570d3543
< "NewSize": {
< "type": "keyword"
< },
3575,3577d3547
< "NoMultiStageResumeReason": {
< "type": "keyword"
< },
3585a3556,3567
> "NumberOfGroupPolicyObjects": {
> "type": "keyword"
> },
> "ObjectName": {
> "type": "keyword"
> },
> "ObjectServer": {
> "type": "keyword"
> },
> "ObjectType": {
> "type": "keyword"
> },
3593a3576,3578
> "Operation": {
> "type": "keyword"
> },
3598,3600d3582
< "OriginalSize": {
< "type": "keyword"
< },
3627c3609
< "ProcessID": {
---
> "ProcessCreationTime": {
3655a3638,3640
> "ProviderName": {
> "type": "keyword"
> },
3668c3653
< "QueryName": {
---
> "ReadOperation": {
3678c3663
< "RequiredSize": {
---
> "Resource": {
3681c3666
< "ResumeCount": {
---
> "RestrictedAdminMode": {
3687c3672,3678
< "RmId": {
---
> "ReturnCode": {
> "type": "keyword"
> },
> "Schema": {
> "type": "keyword"
> },
> "SchemaFriendlyName": {
3736,3753d3726
< "SleepDuration": {
< "type": "keyword"
< },
< "SleepTime": {
< "type": "keyword"
< },
< "SnapshotPath": {
< "type": "keyword"
< },
< "SourceFileID": {
< "type": "keyword"
< },
< "SourceLine": {
< "type": "keyword"
< },
< "SourceTag": {
< "type": "keyword"
< },
3792,3797d3764
< "SuspendEnd": {
< "type": "keyword"
< },
< "SuspendStart": {
< "type": "keyword"
< },
3809a3777,3779
> "TargetLinkedLogonId": {
> "type": "keyword"
> },
3817a3788,3796
> "TargetName": {
> "type": "keyword"
> },
> "TargetOutboundDomainName": {
> "type": "keyword"
> },
> "TargetOutboundUserName": {
> "type": "keyword"
> },
3822c3801
< "TargetState": {
---
> "TargetSid": {
3837c3816
< "TmId": {
---
> "TimeProvider": {
3844,3849d3822
< "TotalDirectories": {
< "type": "keyword"
< },
< "TotalFiles": {
< "type": "keyword"
< },
3856a3830,3832
> "Type": {
> "type": "keyword"
> },
3861,3863d3836
< "Username": {
< "type": "keyword"
< },
3868,3886c3841
< "VolumeName": {
< "type": "keyword"
< },
< "WakeDuration": {
< "type": "keyword"
< },
< "WakeSourceTextLength": {
< "type": "keyword"
< },
< "WakeSourceType": {
< "type": "keyword"
< },
< "WakeTime": {
< "type": "keyword"
< },
< "WakeTimerContextLength": {
< "type": "keyword"
< },
< "WakeTimerOwnerLength": {
---
> "VirtualAccount": {
3903,3908d3857
< "param12": {
< "type": "keyword"
< },
< "param13": {
< "type": "keyword"
< },
3939,3950d3887
< },
< "serviceGuid": {
< "type": "keyword"
< },
< "updateGuid": {
< "type": "keyword"
< },
< "updateRevisionNumber": {
< "type": "keyword"
< },
< "updateTitle": {
< "type": "keyword"
3961a3899,3910
> "logon": {
> "properties": {
> "id": {
> "type": "keyword",
> "ignore_above": 1024
> },
> "type": {
> "type": "keyword",
> "ignore_above": 1024
> }
> }
> },
4022,4024d3970
< "Name": {
< "type": "keyword"
< },
What causes this? How to repair this and prevent further problems?
Where do you see this error at? What action were you doing when it happens?
The fields under winlog.event_data.* will all have a mapping type of keyword if the index template from Winlogbeat was installed properly.
These winlog.event_data.* are not all know apriori since any event can establish its own parameter names. But the data will always be mapped to a keyword.
If it's an issue with a Kibana index pattern not knowing about a particular winlog.event_data field then you can refresh the Kibana index pattern to pick up any new fields from the index mappings.
I see it everytime I try to access a winlogbeat index.
This doesn't seem to work properly.
I'll try that and report back.
Best regards,
Robert
Hi,
refreshing the Kibana index pattern solved the problem.
Best regards,
Robert
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.