Indexing error "Index -1 out of bounds for length 0"

hKerma · December 2, 2020, 3:38pm

Hi everyone,
I want to use ELK stack to analyze some Kubernetes audit logs. They're sent to the Logstash webhook as JSON. Here's my config file :

input{
 http {
   port => 8888
   codec => "json"
   type => "json"
 }
}

filter{
 json {
   source => "message"
 }
}

output{
 file {
   path => "/home/ubuntu/logstash-kubernetes/audit.log"
 }
 elasticsearch{
   hosts => "localhost:9200"
   index => "kubernetes"
 }
}

The output file is populated with good looking entries, I'm happy with it. But when it comes to exporting to Elasticsearch, I'm getting the following error :

elasticsearch - Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"kubernetes", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x71740f4b>], :response=>{"index"=>{"_index"=>"kubernetes", "_type"=>"_doc", "_id"=>"x6QKJHYBkIKyNOo2Q-z8", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse", "caused_by"=>{"type"=>"array_index_out_of_bounds_exception", "reason"=>"Index -1 out of bounds for length 0"}}}}}

It only happens for some entries. Let me show you an generated entry that was processed without error :

{
  "_index": "kubernetes",
  "_type": "_doc",
  "_id": "xKQKJHYBkIKyNOo2POwJ",
  "_version": 1,
  "_score": 0,
  "_source": {
    "headers": {
      "content_type": "application/json",
      "request_method": "POST",
      "accept_encoding": "gzip",
      "request_path": "/",
      "http_host": "****:8888",
      "http_accept": "application/json, */*",
      "content_length": "2813",
      "http_version": "HTTP/1.1",
      "http_user_agent": "Go-http-client/1.1"
    },
    "@version": "1",
    "host": "****",
    "apiVersion": "audit.k8s.io/v1",
    "items": [
      {
        "requestObject": {
          "type": "Normal",
          "firstTimestamp": "2020-12-02T15:20:19Z",
          "involvedObject": {
            "namespace": "kube-system",
            "name": "kube-scheduler",
            "apiVersion": "v1",
            "resourceVersion": "2573",
            "uid": "0ebf0ea5-f8c0-475a-9c9e-57674edefe8d",
            "kind": "Endpoints"
          },
          "message": "****1_938d6a87-bccb-4ea0-bd6b-31fc27e48b7a became leader",
          "eventTime": null,
          "source": {
            "component": "default-scheduler"
          },
          "reason": "LeaderElection",
          "count": 1,
          "reportingInstance": "",
          "apiVersion": "v1",
          "reportingComponent": "",
          "lastTimestamp": "2020-12-02T15:20:19Z",
          "metadata": {
            "name": "kube-scheduler.164cef6d1f3ed55e",
            "namespace": "kube-system",
            "creationTimestamp": null
          },
          "kind": "Event"
        },
        "requestURI": "/api/v1/namespaces/kube-system/events",
        "responseStatus": {
          "code": 201,
          "metadata": {}
        },
        "user": {
          "groups": [
            "system:authenticated"
          ],
          "username": "system:kube-scheduler"
        },
        "annotations": {
          "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:kube-scheduler\" of ClusterRole \"system:kube-scheduler\" to User \"system:kube-scheduler\"",
          "authorization.k8s.io/decision": "allow"
        },
        "stageTimestamp": "2020-12-02T15:20:19.090835Z",
        "userAgent": "kube-scheduler/v1.19.4 (linux/amd64) kubernetes/d360454/scheduler",
        "objectRef": {
          "namespace": "kube-system",
          "name": "kube-scheduler.164cef6d1f3ed55e",
          "apiVersion": "v1",
          "resource": "events"
        },
        "responseObject": {
          "type": "Normal",
          "firstTimestamp": "2020-12-02T15:20:19Z",
          "involvedObject": {
            "namespace": "kube-system",
            "name": "kube-scheduler",
            "apiVersion": "v1",
            "resourceVersion": "2573",
            "uid": "0ebf0ea5-f8c0-475a-9c9e-57674edefe8d",
            "kind": "Endpoints"
          },
          "message": "****1_938d6a87-bccb-4ea0-bd6b-31fc27e48b7a became leader",
          "eventTime": null,
          "source": {
            "component": "default-scheduler"
          },
          "reason": "LeaderElection",
          "count": 1,
          "reportingInstance": "",
          "apiVersion": "v1",
          "reportingComponent": "",
          "lastTimestamp": "2020-12-02T15:20:19Z",
          "metadata": {
            "name": "kube-scheduler.164cef6d1f3ed55e",
            "namespace": "kube-system",
            "creationTimestamp": "2020-12-02T15:20:19Z",
            "managedFields": [
              {
                "operation": "Update",
                "fieldsType": "FieldsV1",
                "time": "2020-12-02T15:20:19Z",
                "manager": "kube-scheduler",
                "apiVersion": "v1",
                "fieldsV1": {
                  "f:source": {
                    "f:component": {}
                  },
                  "f:lastTimestamp": {},
                  "f:reason": {},
                  "f:firstTimestamp": {},
                  "f:type": {},
                  "f:involvedObject": {
                    "f:kind": {},
                    "f:namespace": {},
                    "f:name": {},
                    "f:apiVersion": {},
                    "f:uid": {},
                    "f:resourceVersion": {}
                  },
                  "f:message": {},
                  "f:count": {}
                }
              }
            ],
            "resourceVersion": "2576",
            "selfLink": "/api/v1/namespaces/kube-system/events/kube-scheduler.164cef6d1f3ed55e",
            "uid": "573e4082-7c38-473c-9116-a114be97a47d"
          },
          "kind": "Event"
        },
        "level": "RequestResponse",
        "requestReceivedTimestamp": "2020-12-02T15:20:19.021481Z",
        "auditID": "cf291b3f-f5fa-4e43-a177-adf9cbfc0197",
        "sourceIPs": [
          "****"
        ],
        "stage": "ResponseComplete",
        "verb": "create"
      }
    ],
    "@timestamp": "2020-12-02T15:20:19.094Z",
    "type": "json",
    "metadata": {},
    "kind": "EventList"
  }
}

And here's the JSON for that error happens :

{
  "headers": {
    "content_type": "application/json",
    "request_method": "POST",
    "accept_encoding": "gzip",
    "request_path": "/",
    "http_host": "****:8888",
    "http_accept": "application/json, */*",
    "content_length": "2668",
    "http_version": "HTTP/1.1",
    "http_user_agent": "Go-http-client/1.1"
  },
  "@version": "1",
  "host": "****",
  "apiVersion": "audit.k8s.io/v1",
  "items": [
    {
      "requestObject": {
        "metadata": {
          "name": "kube-scheduler",
          "namespace": "kube-system",
          "creationTimestamp": "2020-12-02T14:36:33Z",
          "annotations": {
            "control-plane.alpha.kubernetes.io/leader": "{\"holderIdentity\":\"****38d6a87-bccb-4ea0-bd6b-31fc27e48b7a\",\"leaseDurationSeconds\":15,\"acquireTime\":\"2020-12-02T15:18:52Z\",\"renewTime\":\"2020-12-02T15:18:52Z\",\"leaderTransitions\":67}"
          },
          "managedFields": [
            {
              "operation": "Update",
              "fieldsType": "FieldsV1",
              "time": "2020-12-02T15:18:23Z",
              "manager": "kube-scheduler",
              "apiVersion": "v1",
              "fieldsV1": {
                "f:metadata": {
                  "f:annotations": {
                    ".": {},
                    "f:control-plane.alpha.kubernetes.io/leader": {}
                  }
                }
              }
            }
          ],
          "resourceVersion": "2531",
          "selfLink": "/api/v1/namespaces/kube-system/endpoints/kube-scheduler",
          "uid": "0ebf0ea5-f8c0-475a-9c9e-57674edefe8d"
        },
        "apiVersion": "v1",
        "kind": "Endpoints"
      },
      "requestURI": "/api/v1/namespaces/kube-system/endpoints/kube-scheduler?timeout=10s",
      "responseStatus": {
        "code": 200,
        "metadata": {}
      },
      "user": {
        "groups": [
          "system:authenticated"
        ],
        "username": "system:kube-scheduler"
      },
      "annotations": {
        "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:kube-scheduler\" of ClusterRole \"system:kube-scheduler\" to User \"system:kube-scheduler\"",
        "authorization.k8s.io/decision": "allow"
      },
      "stageTimestamp": "2020-12-02T15:18:52.067347Z",
      "userAgent": "kube-scheduler/v1.19.4 (linux/amd64) kubernetes/d360454/leader-election",
      "objectRef": {
        "namespace": "kube-system",
        "name": "kube-scheduler",
        "apiVersion": "v1",
        "resourceVersion": "2531",
        "uid": "0ebf0ea5-f8c0-475a-9c9e-57674edefe8d",
        "resource": "endpoints"
      },
      "responseObject": {
        "metadata": {
          "name": "kube-scheduler",
          "namespace": "kube-system",
          "creationTimestamp": "2020-12-02T14:36:33Z",
          "annotations": {
            "control-plane.alpha.kubernetes.io/leader": "{\"holderIdentity\":\"****1_938d6a87-bccb-4ea0-bd6b-31fc27e48b7a\",\"leaseDurationSeconds\":15,\"acquireTime\":\"2020-12-02T15:18:52Z\",\"renewTime\":\"2020-12-02T15:18:52Z\",\"leaderTransitions\":67}"
          },
          "managedFields": [
            {
              "operation": "Update",
              "fieldsType": "FieldsV1",
              "time": "2020-12-02T15:18:52Z",
              "manager": "kube-scheduler",
              "apiVersion": "v1",
              "fieldsV1": {
                "f:metadata": {
                  "f:annotations": {
                    ".": {},
                    "f:control-plane.alpha.kubernetes.io/leader": {}
                  }
                }
              }
            }
          ],
          "resourceVersion": "2542",
          "selfLink": "/api/v1/namespaces/kube-system/endpoints/kube-scheduler",
          "uid": "0ebf0ea5-f8c0-475a-9c9e-57674edefe8d"
        },
        "apiVersion": "v1",
        "kind": "Endpoints"
      },
      "level": "RequestResponse",
      "requestReceivedTimestamp": "2020-12-02T15:18:52.062449Z",
      "auditID": "a45860c7-e0c9-4724-be2e-705a1b2955f4",
      "sourceIPs": [
        "****"
      ],
      "stage": "ResponseComplete",
      "verb": "update"
    }
  ],
  "@timestamp": "2020-12-02T15:20:22.001Z",
  "type": "json",
  "metadata": {},
  "kind": "EventList"
}

(I removed some personnal data from the JSONs)
Both JSONs appears as valid. I noticed that the JSONs with responseStatus.code = 201 were correctly processed, and those with code = 200 were throwing this error.

I'm getting a bit mad so if anyone can help with that, I'd be very pleased !
Best,
Hugo

Badger · December 2, 2020, 4:10pm

In the elasticsearch logs I would expect there to be an exception with a stack trace. What does that look like?

hKerma · December 2, 2020, 5:26pm

Hi,
Not much actually, the only entries related to these errors are in elasticsearch_deprecation.log and they are :

[2020-12-02T17:21:41,520][DEPRECATION][o.e.d.a.b.BulkRequestParser] [myMachineName] [types removal] Specifying types in bulk requests is deprecated.

for every entry.

Interesting fact (or not), the /var/log/logstash logs are totally empty.

Badger · December 2, 2020, 5:44pm

That makes me wonder if you have permissions problems that are preventing the logs being written.

hKerma · December 2, 2020, 5:47pm

I'm not sure because I have log entries, they're just not related to the error. But I'm considering that anyway.

hKerma · December 2, 2020, 5:58pm

UPDATE : so I used to launch logstash directly with the /usr/share/logstash/bin/logstash executable, because of a permission error on /var/lib/logstash/queue.
I tried to chmod 777 everything and now Logstash is able to start from the service (sudo service logstash start). I now have logs in /var/lib/logstash, but they are the same as in the first post :

[2020-12-02T17:54:52,125][WARN ][logstash.outputs.elasticsearch][main][920969c9c1217359377f3e6571cd2531cd707ed2e3d21aed9a52f3437502d44d] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"kubernetes", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x3f85d0b9>], :response=>{"index"=>{"_index"=>"kubernetes", "_type"=>"_doc", "_id"=>"GxuXJHYBTV5-IUiTuvhT", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse", "caused_by"=>{"type"=>"array_index_out_of_bounds_exception", "reason"=>"Index -1 out of bounds for length 0"}}}}}

I really don't understand where does this "out of bounds" exception come from.

Badger · December 2, 2020, 7:15pm

Without a stack trace from elasticsearch I think it will be impossible to say. There have been a variety of issues that caused that error.

hKerma · December 3, 2020, 12:27pm

Hi,
So I didn't get any interesting logs because the log level was set to INFO (should've check that first, sorry).
Changed it to debug, now I have this :

[2020-12-03T12:20:07,084][DEBUG][o.e.a.b.TransportShardBulkAction] [arc-concordia-controller1] [kubernetes][0] failed to execute bulk item (index) index {[kubernetes][_doc][bcuLKHYBxfUMFRPTnd0p], source[n/a, actual length: [2.9kb], max length: 2kb]}
org.elasticsearch.index.mapper.MapperParsingException: failed to parse
	at org.elasticsearch.index.mapper.DocumentParser.wrapInMapperParsingException(DocumentParser.java:191) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseDocument(DocumentParser.java:74) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentMapper.parse(DocumentMapper.java:227) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.shard.IndexShard.prepareIndex(IndexShard.java:803) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.shard.IndexShard.applyIndexOperation(IndexShard.java:780) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.shard.IndexShard.applyIndexOperationOnPrimary(IndexShard.java:752) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.action.bulk.TransportShardBulkAction.executeBulkItemRequest(TransportShardBulkAction.java:285) [elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.action.bulk.TransportShardBulkAction$2.doRun(TransportShardBulkAction.java:175) [elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.action.bulk.TransportShardBulkAction.performOnPrimary(TransportShardBulkAction.java:220) [elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.action.bulk.TransportShardBulkAction.dispatchedShardOperationOnPrimary(TransportShardBulkAction.java:126) [elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.action.bulk.TransportShardBulkAction.dispatchedShardOperationOnPrimary(TransportShardBulkAction.java:85) [elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.action.support.replication.TransportWriteAction$1.doRun(TransportWriteAction.java:179) [elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:737) [elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.10.0.jar:7.10.0]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) [?:?]
	at java.lang.Thread.run(Thread.java:832) [?:?]
Caused by: java.lang.ArrayIndexOutOfBoundsException: Index -1 out of bounds for length 0
	at org.elasticsearch.index.mapper.DocumentParser.getMapper(DocumentParser.java:919) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObject(DocumentParser.java:499) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:415) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:395) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrField(DocumentParser.java:482) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObject(DocumentParser.java:520) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:415) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:395) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrField(DocumentParser.java:482) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObject(DocumentParser.java:520) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:415) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:395) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrField(DocumentParser.java:482) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObject(DocumentParser.java:520) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:415) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:395) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrField(DocumentParser.java:482) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObject(DocumentParser.java:520) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseNonDynamicArray(DocumentParser.java:592) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseArray(DocumentParser.java:557) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:417) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:395) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrField(DocumentParser.java:482) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObject(DocumentParser.java:502) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:415) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:395) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrField(DocumentParser.java:482) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObject(DocumentParser.java:502) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:415) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:395) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrField(DocumentParser.java:482) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObject(DocumentParser.java:502) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseNonDynamicArray(DocumentParser.java:592) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseArray(DocumentParser.java:544) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.innerParseObject(DocumentParser.java:417) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseObjectOrNested(DocumentParser.java:395) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.internalParseDocument(DocumentParser.java:112) ~[elasticsearch-7.10.0.jar:7.10.0]
	at org.elasticsearch.index.mapper.DocumentParser.parseDocument(DocumentParser.java:71) ~[elasticsearch-7.10.0.jar:7.10.0]
	... 16 more

There's a lot of "parseObject", "parseObjectOrField" and "parseObjectOrNested" calls in the stack trace, I believe if fails to parse one of the JSON field ... That would explain why some JSONs are correctly processed and why others are accepted, since they have different fields.

Badger · December 3, 2020, 4:51pm

It is blowing up here. I think you need to ask about this in the elasticsearch forum. It is not a logstash question.

Given that you can ask a question like "When I index this document I get this exception" I would be optimistic about getting a good answer.

hKerma · December 3, 2020, 5:51pm

Ok I'll do that, anyway thanks for your help !

system · December 31, 2020, 5:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.