Hello.
I am running elkstack with Filebeat with module auditd and using the pipeline filebeat-7.3.0-auditd-log-pipeline
a lot of my logs related to docker ends up in the DLQ with the following message.
`{"level":"WARN","loggerName":"logstash.outputs.elasticsearch","timeMillis":1576067343909,"thread":"[main]>worker0","logEvent":{"message":"Could not index event to Elasticsearch.","status":400,"action":["index",{"_index":"filebeat-7.3.0","_type":"_doc","pipeline":"filebeat-7.3.0-auditd-log-pipeline"},{"metaClass":{"metaClass":{"metaClass":{"action":"["index", {:_id=>nil, :_index=>"filebeat-7.3.0", :_type=>"_doc", :routing=>nil, :pipeline=>"filebeat-7.3.0-auditd-log-pipeline"}, #LogStash::Event:0x171cda88]","response":{"index":{"_index":"filebeat-7.3.0-000016","_type":"_doc","_id":"7U3v9G4BybKVV4KXJVZ0","status":400,"error":{"type":"mapper_parsing_exception","reason":"failed to parse field [auditd.log.addr] of type [ip] in document with id '7U3v9G4BybKVV4KXJVZ0'","caused_by":{"type":"illegal_argument_exception","reason":"'?' is not an IP string literal."}}}}}}}}]}}
`
Does anybody know how I can resolve this?