logstash.outputs.elasticsearch is reporting an error from winlogbeat.
Elasticsearch is reporting a mapper parsing error. It failed to parse [event_data.param21]. Our log file says the error type is an "illegal_argument_exception" caused by an Invalid format.
The data being parsed which causes the error can be a SID, a GUID, an e-mail address preceeded by a / character, or a domainname/userid preceeded by a / character.
Our environment is:
Elastic Cloud version 6.2.2
multiple Logstash instances on Ubuntu 16.04. Logstash is version 6.2.2.
Winlogbeat installed on Windows Server 2012 R2. Winlogbeat is version 6.2.2
We do not have any filter paragraphs in our logstash conf file for this winlogbeat. We are using the winlogbeat-6.0.0 template in the Elastic Cloud.
This was working before we upgraded our Elastic Cloud from 6.0 to 6.2.2.
I have confirmed that date detection is set to false in the template.
I'm new to Elastic Stack. I'm wrapping up week 3 of our attempt to roll this out,. Can someone help me understand the problem and point me to some resources to help me resolve it? TIA
/* SAMPLE ERROR MESSAGE */
[WARN ]
[logstash.outputs.elasticsearch] Could not index event to Elasticsearch.
{:status=>400,
:action=> ["index",
{:_id=>nil,
:_index=>"winlogbeat-adfs-2018.03.02",
:_type=>"doc",
:_routing=>nil}, #LogStash::Event:0x3e33a150],
:response=>
{"index"=>
{"_index"=>"winlogbeat-2018.03.02",
"_type"=>"doc",
"_id"=>"ki1Y0mEBqqHkBmCgio3J",
"status"=>400,
"error"=>
{"type"=>"mapper_parsing_exception",
"reason"=>"failed to parse [event_data.param21]",
"caused_by"=>
{"type"=>"illegal_argument_exception",
"reason"=>"Invalid format: "S-1-5-21-466500971-1680804376-10...""
}
}
}
}