Parsing Error in Fortinet-Module Pipeline blasts up message log

Hey guys,

First of a few details about my cluster:

Cluster of 3 Servers - 1xMaster 2xData Nodes
All of them are running ES 7.8 Filebeat 7.8 (ofc Kibana as well on the master node)
OS: CentOS 7 (Kernel 3.10.0-957)
I noticed that there now was a Fortinet Module within Filbeat - and i decided to try it out.

Fortinet Config:

- module: fortinet
    enabled: true

    # Set which input to use between tcp, udp (default) or file.
    var.input: udp

    # The interface to listen to syslog traffic. Defaults to
    # localhost. Set to to bind to all available interfaces.
    var.syslog_host: X.X.X.X

    # The port to listen for syslog traffic. Defaults to 9004.
    var.syslog_port: Y.Y.Y.Y

It works, i recieve the logs from around 15 devices. But today i noticed that my /var/log/message -file is exploding since the activation of the Fortinet-Module.

I get the following error:

{"type":"mapper_parsing_exception","reason":"failed to parse field [fortinet.firewall.assignip] of type [ip] in document with id '5l6cVnMBP7KwE6GF3kEA'. Preview of field's value: 'N/A'","caused_by":{"type":"illegal_argument_exception","reason":"'N/A' is not an IP string literal."}}
Jul 16 09:53:07 datanode02 filebeat: 2020-07-16T09:53:07.078+0200#011INFO#011[publisher]#011pipeline/retry.go:221#011retryer: send unwait signal to consumer
Jul 16 09:53:07 datanode02 filebeat: 2020-07-16T09:53:07.078+0200#011INFO#011[publisher]#011pipeline/retry.go:225#011  done

Any ideas how to get rid of it? I just cannot keep an eye this log file forever.

Kind regards,

I checked the Ingest Pipeline and found the following :

    "remove": {
      "if": "ctx.fortinet?.firewall?.assignip == 'N/A'",
      "field": "fortinet.firewall.assignip"

So actually these events should not occur since the field actually should be removed beforehand.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.