Having issues sending windows server logs to our elastic cluster

victor.nilsson · July 12, 2018, 6:02am

Hi, i tried sending windows logs to our elasticsearch cluster to our already existing winlogbeat template but for some reason these new windows machines are having trouble. For some reason, the data is not showing up in kibana from these new windows hosts. I verified that our logstash machines are receiving the data from the new windows machines with tcpdump.

I checked the logs of one of our elastic data nodes and found this:

[2018-07-11T15:06:11,920][DEBUG][o.e.a.b.TransportShardBulkAction] [winlogbeat-2018-07-11][1] failed to execute bulk item (index) BulkShardRequest [[winlogbeat-2018-07-11][1]] containing [6] requests
org.elasticsearch.index.mapper.MapperParsingException: object mapping for [host] tried to parse field [host] as object, but found a concrete value

I then ran the following command to see the mapping for host:

I can see that the host mapping is of the type "text" but this has not been an issue with previous windows hosts. What is the issue here and how would i go about fixing this?

Thankful for replies.

EDIT: I found that the host field in kibana looks like this:

{
"name": "DCC02"
}

I only want the "DCC02" part, how would i fix this?

tdasch · July 12, 2018, 12:47pm

Victor,

Looks like you've gotten to the root of the problem, ES is not happy with the mapping of host, so its a mapping issue you need to resolve. The error object mapping for [host] tried to parse field [host] as object, but found a concrete value reports that the mapping was expecting host to be an object but instead it's a non object. So you need to look at your mapping and probably your Winlogbeat template.

Here is an example of what I think is happening:

You've designed a property for thehost field

> {
>     "mappings": {
>         "_doc": {
>             "properties": {
>                 "host": {
>                     "properties": {
>                         "name": {"type": "text"}
>                     }
>                 }
>             }
>         }
>     }
> }

You entered data correctly for the mapping

{
   "host": {
         "name": "foo"
       }
}

And how you can get into trouble. If you enter in something like

{
    "host" : "foo"
}

victor.nilsson · July 13, 2018, 5:46am

Hi @tdasch, I'm sorry but i don't quite follow. I know that the mapping is off but i don't know what to do about it. I tried changing it to keyword to see if that would've solved it but to no avail. Do you mean that i should change the config in winlogbeat or in the elastic cluster?

tdasch · July 14, 2018, 1:04am

Hey Victor,

Check out this link to the doc, that explains a breaking change for Winlogbeats. This could be your problem depending upon what versions you are running (new vs old).

system · August 11, 2018, 1:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.