{"type":"mapper_parsing_exception","reason":"Could not dynamically add mapping for field [id.orig_p]. Existing mapping for [zeek.x509.id] must be of type object but found [keyword]."}
Looking at the raw log the entry is a unique id and not an object
"id":"FADRrn3DtGF5KcK2Gb"
I dont know what I did wrong. The only change I made was adding...
index: "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}"
indices:
- index: "filebeat-%{[agent.version]}-zeek-%{+yyyy.MM.dd}"
when.equals:
event.module: "zeek"
- index: "filebeat-%{[agent.version]}-suricata-%{+yyyy.MM.dd}"
when.equals:
event.module: "suricata"
My goal was to create separate indexes for each module. Is this not a good idea?
Before doing that zeek logs were ingesting just fine.
So how did I mess this up? and whats the right way to fix it?
I am using the zeek filebeat module, zeek logs are in in /opt/zeek/logs so I did have to modify the /etc/filebeat/modules.d/zeek.yml var.paths but that shouldnt have any effect either.
I can see that some logs are coming in but not all?