Issues with multiple winlogbeat parsing

Marcos_Felix · August 15, 2018, 1:28pm

Hello,
I have attempted to add another winlogbeat agent to another box and this is the output to the logstash logs:

[2018-08-15T14:01:23,485][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.07.27", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x83d4540>], :response=>{"index"=>{"_index"=>"logstash-2018.07.27", "_type"=>"doc", "_id"=>"hp6tPWUBypXk6ixiKfIg", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [host]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:674"}}}}}
[2018-08-15T14:04:05,235][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 503 ({"type"=>"process_cluster_event_timeout_exception", "reason"=>"failed to process cluster event (put-mapping) within 30s"})

This is my logstash config files:

apache config:

input {
  file {
    path => "/var/log/logstash/*_log"
  }
}

filter {
  if [path] =~ "access" {
    mutate { replace => { type => "apache_access" } }
    grok {
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
    date {
      match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
    }
  } else if [path] =~ "error" {
    mutate { replace => { type => "apache_error" } }
  } else {
    mutate { replace => { type => "random_logs" } }
  }
}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

beats config:

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["localhost:9200"]
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

logstash config:

input { stdin { } }

filter {
  grok {
    match => { "message" => "%{COMBINEDAPACHELOG}" }
  }
  date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
  }
}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

syslog config:

input {
  tcp {
    port => 5000
    type => syslog
  }
  udp {
    port => 5000
    type => syslog
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

I got a few logs from the other box but never again. It came randomly and stopped randomly.

Badger · August 15, 2018, 1:30pm

When logstash logs that error I would expect elasticsearch to log a more informative error.

Marcos_Felix · August 15, 2018, 1:33pm

[2018-08-15T14:01:23,485][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.07.27", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x83d4540>], :response=>{"index"=>{"_index"=>"logstash-2018.07.27", "_type"=>"doc", "_id"=>"hp6tPWUBypXk6ixiKfIg", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [host]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:674"}}}}}
[2018-08-15T14:04:05,235][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 503 ({"type"=>"process_cluster_event_timeout_exception", "reason"=>"failed to process cluster event (put-mapping) within 30s"})
[2018-08-15T14:04:05,238][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 503 ({"type"=>"process_cluster_event_timeout_exception", "reason"=>"failed to process cluster event (put-mapping) within 30s"})
[2018-08-15T14:04:05,240][INFO ][logstash.outputs.elasticsearch] Retrying individual bulk actions that failed or were rejected by the previous bulk request. {:count=>2}
[2018-08-15T14:04:05,551][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 503 ({"type"=>"process_cluster_event_timeout_exception", "reason"=>"failed to process cluster event (put-mapping) within 30s"})
[2018-08-15T14:04:05,552][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 503 ({"type"=>"process_cluster_event_timeout_exception", "reason"=>"failed to process cluster event (put-mapping) within 30s"})
[2018-08-15T14:04:05,553][INFO ][logstash.outputs.elasticsearch] Retrying individual bulk actions that failed or were rejected by the previous bulk request. {:count=>2}
[2018-08-15T14:20:29,576][INFO ][org.logstash.beats.BeatsHandler] [local: 0.0.0.0:5044, remote: IP:62810] Handling exception: Connection reset by peer

This is the new log - i checked elasticsearch and nothing wrong with it.
It seems like logs are going through, but why did it give that error and most importantly, how did it fix by itself?

Topic		Replies	Views
Failed to parse [host] error Logstash	3	829	January 24, 2019
Winlogbeat events not parsed Logstash	2	304	December 9, 2022
Logstash stopped accepting events from winlogbeat since the new year Logstash	3	728	February 18, 2020
Unable to get winlogbeat to send to logstash Beats winlogbeat	29	6009	May 25, 2017
Logstash Failed to parse with all enclosed parsers Logstash	2	1647	November 30, 2020

Issues with multiple winlogbeat parsing

Related topics