Hi Tamba,
I have tried the steps you have mentioned and it is still not working. I have added the "mutate rename" you suggested and also tried to search few forums and added "if "MSEC" in [message]" . Attached the config files.
Please help us out with this error message below and let us know the next steps.
Also if you can provide a working filebeat.yml file and also logstash config file , elasticsearch.yml file (additional if we want to roll back to elastic search and not use logstash). Also please let us know any other config files are there by default. If nothing works we would start afresh we can use these files in our environment.
Here is the error message and also the CONFIG files:
Output for** **sudo cat /var/log/logstash/logstash-plain.log | grep --color=auto -i -E "error|warn":
apper]"}}}}
[2020-05-31T15:18:56,607][WARN ][logstash.outputs.elasticsearch][main][f265b93a0021d1fdadd11ff9db9a91e83eaae24e6481942bc3950917832feda1] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"wazuh-alerts-3.x-2020.05.31", :routing=>nil, :_type=>"wazuh"}, #LogStash::Event:0x220143c6], :response=>{"index"=>{"_index"=>"wazuh-alerts-3.x-2020.05.31", "_type"=>"wazuh", "_id"=>"3PYsbHIBtQIrr09cN_BR", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [host] of different type, current_type [keyword], merged_type [ObjectMapper]"}}}}
[2020-05-31T15:18:56,601][WARN ][logstash.outputs.elasticsearch][main][f265b93a0021d1fdadd11ff9db9a91e83eaae24e6481942bc3950917832feda1] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"wazuh-alerts-3.x-2020.05.31", :routing=>nil, :_type=>"wazuh"}, #LogStash::Event:0x34ba64cb], :response=>{"index"=>{"_index"=>"wazuh-alerts-3.x-2020.05.31", "_type"=>"wazuh", "_id"=>"2fYsbHIBtQIrr09cN_BM", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [host] of different type, current_type [keyword], merged_type [ObjectMapper]"}}}}
[2020-05-31T15:18:56,607][WARN ][logstash.outputs.elasticsearch][main][f265b93a0021d1fdadd11ff9db9a91e83eaae24e6481942bc3950917832feda1] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"wazuh-alerts-3.x-2020.05.31", :routing=>nil, :_type=>"wazuh"}, #LogStash::Event:0x6c883eb9], :response=>{"index"=>{"_index"=>"wazuh-alerts-3.x-2020.05.31", "_type"=>"wazuh", "_id"=>"4PYsbHIBtQIrr09cN_BT", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [host] of different type, current_type [keyword], merged_type [ObjectMapper]"}}}}
[2020-05-31T15:18:56,609][WARN ][logstash.outputs.elasticsearch][main][f265b93a0021d1fdadd11ff9db9a91e83eaae24e6481942bc3950917832feda1] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"wazuh-alerts-3.x-2020.05.31", :routing=>nil, :_type=>"wazuh"}, #LogStash::Event:0x6a829c70], :response=>{"index"=>{"_index"=>"wazuh-alerts-3.x-2020.05.31", "_type"=>"wazuh", "_id"=>"3fYsbHIBtQIrr09cN_BR", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [host] of different type, current_type [keyword], merged_type [ObjectMapper]"}}}}
[2020-05-31T15:18:56,609][WARN ][logstash.outputs.elasticsearch][main][f265b93a0021d1fdadd11ff9db9a91e83eaae24e6481942bc3950917832feda1] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"wazuh-alerts-3.x-2020.05.31", :routing=>nil, :_type=>"wazuh"}, #LogStash::Event:0x1ffaa79f], :response=>{"index"=>{"_index"=>"wazuh-alerts-3.x-2020.05.31", "_type"=>"wazuh", "_id"=>"4fYsbHIBtQIrr09cN_BT", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [host] of different type, current_type [keyword], merged_type [ObjectMapper]"}}}}
[2020-05-31T15:18:56,608][WARN ][logstash.outputs.elasticsearch][main][f265b93a0021d1fdadd11ff9db9a91e83eaae24e6481942bc3950917832feda1] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"wazuh-alerts-3.x-2020.05.31", :routing=>nil, :_type=>"wazuh"}, #LogStash::Event:0x23c4f16e], :response=>{"index"=>{"_index"=>"wazuh-alerts-3.x-2020.05.31", "_type"=>"wazuh", "_id"=>"4vYsbHIBtQIrr09cN_BX", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [host] of different type, current_type [keyword], merged_type [ObjectMapper]"}}}}
[2020-05-31T15:18:56,609][WARN ][logstash.outputs.elasticsearch][main][f265b93a0021d1fdadd11ff9db9a91e83eaae24e6481942bc3950917832feda1] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"wazuh-alerts-3.x-2020.05.31", :routing=>nil, :_type=>"wazuh"}, #LogStash::Event:0x4b30a873], :response=>{"index"=>{"_index"=>"wazuh-alerts-3.x-2020.05.31", "_type"=>"wazuh", "_id"=>"3vYsbHIBtQIrr09cN_BS", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [host] of different type, current_type [keyword], merged_type [ObjectMapper]"}}}}
[2020-05-31T15:18:56,613][WARN ][logstash.outputs.elasticsearch][main][f265b93a0021d1fdadd11ff9db9a91e83eaae24e6481942bc3950917832feda1] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"wazuh-alerts-3.x-2020.05.31", :routing=>nil, :_type=>"wazuh"}, #LogStash::Event:0x5ccc71f4], :response=>{"index"=>{"_index"=>"wazuh-alerts-3.x-2020.05.31", "_type"=>"wazuh", "_id"=>"3_YsbHIBtQIrr09cN_BS", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [host] of different type, current_type [keyword], merged_type [ObjectMapper]"}}}}
[2020-05-31T15:19:03,572][WARN ][logstash.outputs.elasticsearch][main][f265b93a0021d1fdadd11ff9db9a91e83eaae24e6481942bc3950917832feda1] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"wazuh-alerts-3.x-2020.05.31", :routing=>nil, :_type=>"wazuh"}, #LogStash::Event:0x22aa4e33], :response=>{"index"=>{"_index"=>"wazuh-alerts-3.x-2020.05.31", "_type"=>"wazuh", "_id"=>"4_YsbHIBtQIrr09cUvCL", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [host] of different type, current_type [keyword], merged_type [ObjectMapper]"}}}}
Logstash conf file
input {
beats {
port => 5000
ssl => true
ssl_certificate => ""
ssl_key => ""
}
}
filter {
json {
source => "message"
}
}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
if "MSEC" in [message] {
mutate {
gsub => [ "message", ","MSEC":.{3},", ","]
}
}
}
filter {
geoip {
source => "@src_ip"
target => "GeoLocation"
fields => ["city_name", "country_name", "region_name", "location"]
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field =>[ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
}
mutate {
rename => {"host" => "[host][name]"}
}
}
output {
elasticsearch {
hosts => ["10.7.110.195:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
document_type => "wazuh"
}
}
Filebeat yml:
Wazuh - Filebeat configuration file
filebeat:
inputs:
output.logstash:
The Logstash hosts
hosts: ["10.7.110.195:5000"]
ssl:
certificate_authorities: [""]