"reason":"'?' is not an IP string literal


I am running elkstack with Filebeat with module auditd and using the pipeline filebeat-7.3.0-auditd-log-pipeline
a lot of my logs related to docker ends up in the DLQ with the following message.

`{"level":"WARN","loggerName":"logstash.outputs.elasticsearch","timeMillis":1576067343909,"thread":"[main]>worker0","logEvent":{"message":"Could not index event to Elasticsearch.","status":400,"action":["index",{"_index":"filebeat-7.3.0","_type":"_doc","pipeline":"filebeat-7.3.0-auditd-log-pipeline"},{"metaClass":{"metaClass":{"metaClass":{"action":"["index", {:_id=>nil, :_index=>"filebeat-7.3.0", :_type=>"_doc", :routing=>nil, :pipeline=>"filebeat-7.3.0-auditd-log-pipeline"}, #LogStash::Event:0x171cda88]","response":{"index":{"_index":"filebeat-7.3.0-000016","_type":"_doc","_id":"7U3v9G4BybKVV4KXJVZ0","status":400,"error":{"type":"mapper_parsing_exception","reason":"failed to parse field [auditd.log.addr] of type [ip] in document with id '7U3v9G4BybKVV4KXJVZ0'","caused_by":{"type":"illegal_argument_exception","reason":"'?' is not an IP string literal."}}}}}}}}]}}


Does anybody know how I can resolve this?

Hi it looks like a mapping problem.

Could you check in the events that are sent by Filebeat what is inside auditd.log.addr field. Elasticsearch complains that what is sent is not an IP string literal.

I suspect its because how docker interacts with auditd.
I am seeing the following

type=VIRT_CONTROL msg=audit(1574942196.355:3871474): pid=9724 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='op=start vm=? vm-pid=? ctr_id_short=? reason=api user=? auid=4294967295 exe=? hostname=? exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
I suspect this is how docker is interacting with auditd and would need to make an addition to the Filebeat pipeline for auditd.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.