"reason":"'?' is not an IP string literal

Hello.

I am running elkstack with Filebeat with module auditd and using the pipeline filebeat-7.3.0-auditd-log-pipeline
a lot of my logs related to docker ends up in the DLQ with the following message.

`{"level":"WARN","loggerName":"logstash.outputs.elasticsearch","timeMillis":1576067343909,"thread":"[main]>worker0","logEvent":{"message":"Could not index event to Elasticsearch.","status":400,"action":["index",{"_index":"filebeat-7.3.0","_type":"_doc","pipeline":"filebeat-7.3.0-auditd-log-pipeline"},{"metaClass":{"metaClass":{"metaClass":{"action":"["index", {:_id=>nil, :_index=>"filebeat-7.3.0", :_type=>"_doc", :routing=>nil, :pipeline=>"filebeat-7.3.0-auditd-log-pipeline"}, #LogStash::Event:0x171cda88]","response":{"index":{"_index":"filebeat-7.3.0-000016","_type":"_doc","_id":"7U3v9G4BybKVV4KXJVZ0","status":400,"error":{"type":"mapper_parsing_exception","reason":"failed to parse field [auditd.log.addr] of type [ip] in document with id '7U3v9G4BybKVV4KXJVZ0'","caused_by":{"type":"illegal_argument_exception","reason":"'?' is not an IP string literal."}}}}}}}}]}}

`

Does anybody know how I can resolve this?

Hi it looks like a mapping problem.

Could you check in the events that are sent by Filebeat what is inside auditd.log.addr field. Elasticsearch complains that what is sent is not an IP string literal.

I suspect its because how docker interacts with auditd.
I am seeing the following

type=VIRT_CONTROL msg=audit(1574942196.355:3871474): pid=9724 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='op=start vm=? vm-pid=? ctr_id_short=? reason=api user=? auid=4294967295 exe=? hostname=? exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
I suspect this is how docker is interacting with auditd and would need to make an addition to the Filebeat pipeline for auditd.