Ingest error with logstash

hollo · December 12, 2023, 9:24pm

Hi.
I've created a filebeat -> logstash -> elastic flow for iptables logs.
Filebeat uses the default iptables module.
Logstash has minimal config (beat input, elastic output, no filter).
The Logstash pipeline comes from the documentation.
Default Elastic ingests are installed.

When a message is sent via the above flow, I've got a dlq error message:

Could not index event to Elasticsearch. status: 400, action: ["create", {:_id=>nil, :_index=>"filebeat-8.10.3", :routing=>nil, :pipeline=>"filebeat-8.10.3-iptables-log-pipeline"}, {"fileset"=>{"name"=>"log"}, "log"=>{"file"=>{"path"=>"/var/log/firewall"
...
 response: {"create"=>{"_index"=>".ds-filebeat-8.10.3-2023.12.12-000025", "_id"=>"hYy5X4wBj3IF6fYTGKKe", "status"=>400, "error"=>{"type"=>"document_parsing_exception", "reason"=>"[1:65] failed to parse field [iptables.ether_type] of type [long] in document with id 'hYy5X4wBj3IF6fYTGKKe'. Preview of field's value: '08:00'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"For input string: \"08:00\""}}}}

The 08:00 is the hexa value of ether_type (comes from iptables log) and filebeat-8.10.3-iptables-log-pipeline's painless script should convert it to long value (2048).

Anyway the conversion works as expected if I test the message on Kibana Ingest Test or modify the flow to direct sending (filebeat -> elastic).

I guess that there is some difference in the behavior of ingest processing based on beat or logstash source, but I couldn't find any clue. Any idea?
Thanks.

hollo · December 14, 2023, 11:20am

I think I found the problem.
Logstash adds an event.orignal field to the data before send it to the ingest and iptables-ingest 3rd step is a Rename task (Renames "message" to "event.original") which throws an "already exits" error and stops the process.

When I set the "Ignore failures for this processor" option the processing worked as expected (maybe a condition should be more elegant).

hollo · December 14, 2023, 11:39am

Anyway the "ignore" and condition (ctx?.event?.original == null) are not the best, because both fields remain.
A failure handler (remove field) could be a solution, but I think it's ugly....

system · January 11, 2024, 11:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Running into problems moving from Logstash ingestion to Filebeat harvesting Elasticsearch	2	382	September 5, 2018
Elastic Agent error with event.created & event.ingested Elastic Agent ingest-pipeline	1	602	September 8, 2022
Logstash ingest pipeline at elasticsearch Logstash	2	1764	September 25, 2018
Failed to parse field [msg.RequestPort] of type [long] Logs	5	3862	September 12, 2022
Can not index events after upgrade Beats filebeat	2	708	February 1, 2018

Ingest error with logstash

Related topics