Hi, I am trying to use NGINX module. Filebeat, elasticsearch and kibana are runing in version 6.1.0.
According to here under extract from filebeat logs, I am experiencing index issue due to parsing exception ... Any help highly appreciated to know in which direction to investigate. Thanks.
2018-03-13T09:58:52+01:00 DBG [publish] Publish event: {
"@timestamp": "2018-03-13T08:58:52.197Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.1.0",
"pipeline": "filebeat-6.1.0-nginx-access-default"
},
"source": "/opt/application/nginxstatic/logs/access.log",
"offset": 1199579,
"message": "127.0.0.1 - - - [13/Mar/2018:09:58:51 +0100] "GET /nginx_status?consul HTTP/1.1" 301 178 "-" - "0.000 msec" ",
"fileset": {
"name": "access",
"module": "nginx"
},
"prospector": {
"type": "log"
},
"beat": {
"name": "192.168.2.13",
"hostname": "i-0013d126-rp-static-server-15102233541.novalocal",
"version": "6.1.0"
}
}
2018-03-13T09:58:52+01:00 DBG [harvester] End of file reached: /opt/application/nginxstatic/logs/access.log; Backoff now.
2018-03-13T09:58:52+01:00 DBG [elasticsearch] PublishEvents: 2 events have been published to elasticsearch in 5.590765ms.
2018-03-13T09:58:52+01:00 WARN Can not index event (status=400): {"type":"mapper_parsing_exception","reason":"Failed to parse mapping [doc]: Mapping definition for [error] has unsupported parameters: [properties : {code={type=long}, message={norms=false, type=text}, type={ignore_above=1024, type=keyword}}]","caused_by":{"type":"mapper_parsing_exception","reason":"Mapping definition for [error] has unsupported parameters: [properties : {code={type=long}, message={norms=false, type=text}, type={ignore_above=1024, type=keyword}}]"}}
2018-03-13T09:58:52+01:00 WARN Can not index event (status=400): {"type":"mapper_parsing_exception","reason":"Failed to parse mapping [doc]: Mapping definition for [error] has unsupported parameters: [properties : {code={type=long}, message={norms=false, type=text}, type={ignore_above=1024, type=keyword}}]","caused_by":{"type":"mapper_parsing_exception","reason":"Mapping definition for [error] has unsupported parameters: [properties : {code={type=long}, message={norms=false, type=text}, type={ignore_above=1024, type=keyword}}]"}}
When downgrading Filebeat to 5.6.0, I get the event in Kibana (loved it) but with error message :
error: Provided Grok expressions do not match field value: [127.0.0.1 - - - [13/Mar/2018:11:38:54 +0100] "GET /nginx_status?consul HTTP/1.1" 301 178 "-" - "0.000 msec" ]
I can imagine that the root cause is nginx version 1.6.2 when elastic alerts that testing have been performed from nginx 1.10 ... ?
Hello exekias, thanks for your swift reply. I guess I do not use custom index pattern but I let you check in my filebeat.yml updated content. For your information, I first updated my elasticsearch & kibana nodes from 5.5.0 to 6.1.0 applying kibana index migration procedure detailled in https://www.elastic.co/guide/en/kibana/6.1/migrating-6.0-index.html #-------------------------------- Nginx Module -------------------------------
module: nginx
Access logs
access:
enabled: true
Set custom paths for the log files. If left empty,
Filebeat will choose the paths depending on your OS.
Once nginx upgraded to 1.12.2, I am still facing the error: Provided Grok expressions do not match field value ... really disappointing since my setup is fully based on packaged NGINX module provided by elasticsearch. Nginx log lines look well formated. No idea about the root cause.
Here is the JSON format event from Kibana :
I performed a full reinstall : filebeat, kibana, elasticsearch from scratch with verion 6.1.0.
I still have the index error event in Filebeat logfile. On elasticsearch logfile side, it looks like it tries to execute a filebeat pipeline tag as 5.6.0 !!!!
[2018-03-16T11:15:56,861][DEBUG][o.e.a.b.TransportBulkAction] [i-0016e5a0-elk-server-15210429051-MyInstanceES] failed to execute pipeline [filebeat-5.6.0-nginx-access-default] for document [filebeat-2018.03.16/doc/null]
java.lang.IllegalArgumentException: pipeline with id [filebeat-5.6.0-nginx-access-default] does not exist
at org.elasticsearch.ingest.PipelineExecutionService.getPipeline(PipelineExecutionService.java:194) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.ingest.PipelineExecutionService.access$100(PipelineExecutionService.java:42) ~[elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.ingest.PipelineExecutionService$2.doRun(PipelineExecutionService.java:94) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:637) [elasticsearch-6.1.0.jar:6.1.0]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.1.0.jar:6.1.0]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_144]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_144]
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.