Are you using the NGINX Filebeat module? If yes, it's possible that the error message is coming from the module. Messages coming from Filebeat go through the default modules pipeline. That's not appropriate in your case.
I would customize the existing NGINX pipeline to match your log format. Load it to Elasticsearch with a new ID. Then set the option pipeline of the input to use it.
Filebeat modules are made for smoothing the getting started experience of new users. So by default its pipeline does not support custom log formats. However, advanced Filebeat users can modify the patterns in module/nginx/access/ingest/default.json and their own format. After the pipeline is updated, it needs to be loaded to the Ingest node. Right now in order to update an existing pipeline, you need to delete it manually and then load the new version. But in the next release filebeat.update_pipelines is introduced. If it's set to true pipelines are always updated.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.