Hello All,
I've got the follow setup installed:
packetbeat-6.5.4-1.x86_64 (installed on 2 different downstream servers)
elasticsearch-6.5.4-1.noarch (installed on 6 physical servers - setup as 3 data and 3 masters)
kibana-6.5.4-1.x86_64 ( installed on one of the master servers)
The config for packetbeat is simple. Simple defined as pointing the beat at the ES server thats running Kibana and edit the beat name and change nothing else. The beat starts as expected.
2018-12-20T14:26:32.305-0800 INFO instance/beat.go:278 Setup Beat: packetbeat; Version: 6.5.4
2018-12-20T14:26:35.307-0800 INFO add_cloud_metadata/add_cloud_metadata.go:319 add_cloud_metadata: hosting provider type not detected.
2018-12-20T14:26:35.307-0800 INFO elasticsearch/client.go:163 Elasticsearch url: http://10.1.249.31:9200
2018-12-20T14:26:35.307-0800 INFO [publisher] pipeline/module.go:110 Beat name: hercules
2018-12-20T14:26:35.308-0800 INFO procs/procs.go:91 Process watcher disabled
Config OK
[ OK ]
However no index is created for either downstream beat. The following is sample from the one of the beat instances:
2018-12-20T15:33:10.292-0800 WARN elasticsearch/client.go:521 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xf79bb20, ext:63680945589, loc:(*time.Location)(0x22d2700)}, Meta:common.MapStr(nil), Fields:common.MapStr{"status":"Error", "client_port":0xc6d7, "client_server":"", "client_proc":"", "dns":common.MapStr{"op_code":"QUERY", "answers_count":0, "flags":common.MapStr{"truncated_response":false, "recursion_desired":true, "recursion_available":false, "authentic_data":false, "checking_disabled":false, "authoritative":false}, "opt":common.MapStr{"ext_rcode":"Unknown 15", "do":true, "version":"0", "udp_size":0xfa0}, "id":0x5bd, "question":common.MapStr{"etld_plus_one":"akadns.net.", "name":"v10-win.vortex.data.microsoft.com.akadns.net.", "type":"A", "class":"IN"}, "additionals_count":0, "response_code":"NOERROR", "authorities_count":0}, "ip":"8.8.8.8", "port":0x35, "proc":"", "host":common.MapStr{"name":"usherlsec01.bio-rad.com", "os":common.MapStr{"platform":"centos", "version":"6.8 (Final)", "family":"redhat", "codename":"Final"}, "containerized":true, "architecture":"x86_64"}, "client_ip":"10.3.122.224", "query":"class IN, type A, v10-win.vortex.data.microsoft.com.akadns.net.", "transport":"udp", "notes":"Another query with the same DNS ID from this client was received so this query was closed without receiving a response", "beat":common.MapStr{"version":"6.5.4", "name":"hercules", "hostname":"usherlsec01.bio-rad.com"}, "type":"dns", "resource":"v10-win.vortex.data.microsoft.com.akadns.net.", "bytes_in":73, "method":"QUERY", "server":""}, Private:interface {}(nil)}, Flags:0x0} (status=400): {"type":"mapper_parsing_exception","reason":"Failed to parse mapping [doc]: Mapping definition for [body] has unsupported parameters: [ignore_above : 1024]","caused_by":{"type":"mapper_parsing_exception","reason":"Mapping definition for [body] has unsupported parameters: [ignore_above : 1024]"}}
Thoughts of where to go to chase this down and correct?
Thanks
TimW