Hello,
I'm using filebeat to parse logs from Elasticsearch audit logs in json format.
I'm getting below warnings and don't know what to do with that:
WARN [elasticsearch] elasticsearch/client.go:414 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2022, time.February, 20, 22, 31, 55, 876719398, time.Local), Meta:null, Fields:{"agent":{"ephemeral_id":"4ffea9e4-71ec-476b-89eb-b8d32409d8a4","hostname":"filebeat-tst-0","id":"796e2d02-73f2-41f6-8bdf-0264eada2623","name":"filebeat-tst-0","type":"filebeat","version":"7.17.0"},"ecs":{"version":"1.12.0"},"event.action":"connection_granted","event.type":"ip_filter","host":{"architecture":"x86_64","containerized":true,"hostname":"filebeat-tst-0","ip":["172.17.0.4"],"mac":["02:42:ac:11:00:04"],"name":"filebeat-tst-0","os":{"codename":"focal","family":"debian","kernel":"5.13.0-28-lowlatency","name":"Ubuntu","platform":"ubuntu","type":"linux","version":"20.04.3 LTS (Focal Fossa)"}},"input":{"type":"log"},"log":{"file":{"path":"/opt/audit.json"},"offset":43480219},"node.id":"E9Q79pB9Q-qQCGZMgFlxbQ","node.name":"elasticsearch-pci-0","origin.address":"192.168.112.62","origin.type":"rest","rule":"allow default:accept_all","timestamp":"2022-02-18T16:45:22,070+0000","transport.profile":".http","type":"audit"}, Private:file.State{Id:"native::2988727-29", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0008a4270), Source:"/opt/audit.json", Offset:43480535, Timestamp:time.Date(2022, time.February, 20, 22, 31, 52, 52425316, time.Local), TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x2d9ab7, Device:0x1d}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"object mapping for [rule] tried to parse field [rule] as object, but found a concrete value"}, dropping event!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.