Filebeat/Modules Cannot index event publisher.Event

jdomsic · July 24, 2018, 3:29pm

Hi,

I just enabled and started filebeat with 2 modules (system and auditd) and
my index (filebeat-*) is not created/populated in elasticsearch.

Filebeat config:
filebeat.config.modules.path: ${path.config}/modules.d/*.yml

output.elasticsearch:
  hosts: ["HOSTNAME"]

Filebeat.logs

2018-07-24T17:24:07.954+0200    WARN    elasticsearch/client.go:502     Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbecdef05b7e73fb8, ext:606069906850, loc:(*time.Location)(0
x1f4a300)}, Meta:common.MapStr{"pipeline":"filebeat-6.3.1-system-syslog-pipeline"}, Fields:common.MapStr{"source":"/var/log/messages", "offset":551245, "message":"Jul 24 17:24:01 HOSTNAME systemd: Starting 
Session 76334 of user root.", "prospector":common.MapStr{"type":"log"}, "input":common.MapStr{"type":"log"}, "fileset":common.MapStr{"module":"system", "name":"syslog"}, "beat":common.MapStr{"name":"HOSTNAME", "hostname":"HOSTNAME", "version":"6.3.1"}, "host":common.MapStr{"name":"HOSTNAME"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc4201b61a0), Source:"/v
ar/log/messages", Offset:551321, Timestamp:time.Time{wall:0xbecdee6e36f76164, ext:54186594, loc:(*time.Location)(0x1f4a300)}, TTL:-1, Type:"log", Meta:map[string]string{}, FileStateOS:file.StateOS{Inode:0xf482f,
 Device:0x802}}}, Flags:0x1} (status=400): {"type":"mapper_parsing_exception","reason":"Failed to parse mapping [doc]: Mapping definition for [error] has unsupported parameters:  [properties : {code={type=long},
 message={norms=false, type=text}, type={ignore_above=1024, type=keyword}}]","caused_by":{"type":"mapper_parsing_exception","reason":"Mapping definition for [error] has unsupported parameters:  [properties : {co
de={type=long}, message={norms=false, type=text}, type={ignore_above=1024, type=keyword}}]"}}

Mapping template is created
filebeat export template > filebeat.template.json
curl -X PUT "HOSTNAME/_template/filebeat" -H 'Content-Type: application/json' -d@filebeat.template.json

ruflin · July 24, 2018, 6:53pm

Why do you load the template manually? Filebeat will automatically load teh template for you and put it in for the correct version and name.

jdomsic · July 25, 2018, 11:59am

No specific reason. I tried filebeat setup first, but there was the same issue.

P.S. Reinstalling filebeat, as well as removing all filebeat templates seems to have solved the issue.

ruflin · July 26, 2018, 12:15pm

Interesting, not sure why this solved the issue Glad it works now.

system · August 23, 2018, 12:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.