Seeing a lot of failed to execute pipeline [geoip-info] for document [auditbeat-7.4.0-insertdatehere./_doc/null]

starrynight · October 15, 2019, 7:22am

I've just started to configure the pipeline for Elastic SIEM for geopoints and am finding that my pipeline completely stops (usually as the index rolls over for the next day, I literally am not erroring as of 23:58 of that day and stops as of 00:00) and a ton of these errors in my logs:

[2019-10-15T00:00:42,382][DEBUG][o.e.a.b.TransportBulkAction] [hostname] failed to execute pipeline [geoip-info] for document [auditbeat-7.4.0-2019.
10.14/_doc/null]

org.elasticsearch.ElasticsearchException: java.lang.IllegalArgumentException: java.lang.IllegalArgumentException: field [host.ip] of type [java.util.ArrayList] can
not be cast to [java.lang.String]

Once I comment out the pipeline from my output file in /etc/logstash/conf.d and restart logstash, I'm not even seeing the host.ip field populate and so I'm rather confused how to debug this as I'd rather like to have geopoints than not. Not only that it appears to completely stop logging from happening until I comment out the pipeline in the output file and restart everything (and therefore wait until it can recover). Any ideas what I'm doing wrong? (..and thanks from an elastic noob)

Igor_Motov · October 18, 2019, 11:56am

In other words it expects to see something like "1.2.3.4" there, but it gets something like ["1.2.3.4", "5.6.7.8"] and cannot process it.

starrynight · October 22, 2019, 7:57am

Is there any good way to debug that? .. because after I've moved to the time period in which this error started, I'm not finding the host.ip field info or even the log populate that is causing that error... (Thanks!)

Igor_Motov · October 22, 2019, 3:16pm

Is there a stacktrace after this error message?

system · November 19, 2019, 3:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.