Getting 'Badly formatted index, after interpolation still contains placeholder' error when trying to ingest AWS WAF logs

feo13 · August 16, 2023, 2:14am

Hi there,

I'm trying to ingest AWS WAF logs with logstash-8.9.0 and send them to my local ELK stack but am getting a 'Badly formatted index, after interpolation still contains placeholder' error. Here's my logstash config:

input { 
  s3 { 
    "access_key_id" => "foo"
    "secret_access_key" => "bar"
    "region" => "us-east-1" 
    "bucket" => "aws-waf-logs" 
    "type" => "waf-log" 
    "interval" => "300" 
    "sincedb_path" => "/tmp/.waf-log_since.db" 
  } 
} 

filter { 
  if [type] == "waf-log" { 
   json { 
        source => "message" 
  } 
  date { 
        match => [ "[timestamp]", "UNIX_MS" ] 
  } 
  geoip { 
        source => [ "[httpRequest][clientIp]" ] 
        target => geoip 
  } 
  ruby { 
    code => ' 
      event.get("[httpRequest][headers]").each { |kv| 
        event.set(name = kv["name"], value = kv["value"])} 
        ' 
  } 
} 
} 

output { 
  elasticsearch { 
    hosts => ["http://127.0.0.1:9200/"] 
    index => "%{[type]}%-{+YYYY.MM.dd}"
    ilm_enabled => false 
    data_stream => false
    action => "create"
  } 
}

I read Could not index event to Elasticsearch DataStream but changing index to 'index => "%{[@metadata][beat]}-%{[@metadata][version]}"' returns the same 'Badly formatted index' error.

Can anyone point me in the right direction?

Thanks!

stephenb · August 16, 2023, 3:04am

Hi @feo13 Welcome to the community.

Look like at least a Syntax error got an % in the wrong place

index => "%{[type]}-%{+YYYY.MM.dd}"
...................^

feo13 · August 16, 2023, 3:59am

Thank you SO much! It looks like that resolved the 'Badly formatted index' error but now I'm getting this:

[2023-08-16T03:42:25,231][WARN ][logstash.outputs.elasticsearch][main]
[ca2bc6153105dde6379bf39666d95cd4b608ad24418e29aca41368c5e05372ef] Could 
not index event to Elasticsearch. {:status=>400, :action=>["create", 
{:_id=>nil, :_index=>"waf-log-2023.05.12", :routing=>nil}, 
{"terminatingRuleType"=>"REGULAR", "@timestamp"=>2023-05-12T18:43:26.325Z,

From what I've read, that can happen when there's an old index template and the mappings aren't aligned. But when I go into Dev Console and do a 'GET _template', I just see '.monitoring-es' so I'm not sure what exactly to delete.

Thanks again for your response -- I really appreciate it!

feo13 · August 16, 2023, 4:38am

OK, I got it. I just deleted all pre-existing indicies and index templates that I'd created for WAF, restarted logstash, and recreated the template.

Thank you again for the help -- I really appreciate it!

system · September 13, 2023, 4:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Bad request response when adding WAF logs to Elasticsearch Elasticsearch	14	1945	November 18, 2019
Need advice on AWS logs indexing using logstash Logstash	7	852	July 6, 2017
Logstash intergation with AWS Elasticsearch Logstash	3	5857	July 6, 2017
Unable to change index off default logstash-* Logstash	6	1772	July 6, 2017
Logstash does not make indices in elasticsearch Logstash	8	844	September 17, 2018

Getting 'Badly formatted index, after interpolation still contains placeholder' error when trying to ingest AWS WAF logs

Related topics