The whole log of openedr is inside the message feild in kibana. Urgent!

sandraimmaculate · May 3, 2024, 5:17am

hi,

sudo lsof -i :5044 | grep LISTEN
java    2190022 logstash  105u  IPv6 31688859      0t0  TCP *:lxi-evntsvc (LISTEN)

its logstash

ps aux | grep logstash
logstash 2190022

sudo lsof -i :5044
COMMAND     PID     USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
java    2190022 logstash  105u  IPv6 31688859      0t0  TCP *:lxi-evntsvc (LISTEN)
java    2190022 logstash  106u  IPv6 31808542      0t0  TCP freeipa.izmo.local:lxi-evntsvc->10.125.103.10:64585 (ESTABLISHED)

if i kill
sudo kill -9 2190022
will it cause something

sandraimmaculate · May 3, 2024, 6:10am

i just change the port in logstash .conf file first as 5055 and run that file and again changed it 5044 in .conf file input plugin
as

input {
    beats {
        port => 5044
    }
}

it storing the logs in /tmp/logstash-raw-input.log

"message":"{\"baseEventType\":1,\"baseType\":1,\"childProcess\":{\"cmdLine\":\"\\\"C:\\\\Program Files (x86)\\\\Google\\\\GoogleUpdater\\\\126.0.6441.0\\\\updater.exe\\\" --wake --system\",\"creationTime\":1714715982530,\"elevationType\":1,\"flsVerdict\":1,\"id\":10999936618964764872,\"imageHash\":\"fcb1003051d25cb9c9b6e6a4655ca0ca0d8afa8f\",\"imagePath\":\"C:\\\\Program Files (x86)\\\\Google\\\\GoogleUpdater\\\\126.0.6441.0\\\\updater.exe\",\"pid\":128,\"scriptContent\":\"<undefined>\",\"verdict\":1},\"customerId\":\"\",\"deviceName\":\"IZDT-226\",\"endpointId\":\"\",\"eventType\":null,\"processes\":[{\"creationTime\":1714392570626,\"flsVerdict\":3,\"id\":13324682947529074784,\"imageHash\":\"2dfb00cd9a44a8a016452e1df01c0cec51870407\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\wininit.exe\",\"pid\":784,\"userName\":\"SYSTEM@NT AUTHORITY\",\"verdict\":1},{\"creationTime\":1714392570787,\"flsVerdict\":3,\"id\":7637858354080847475,\"imageHash\":\"e5704d8e560122c2a23de8912ae63b213d67c860\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"pid\":856,\"userName\":\"SYSTEM@NT AUTHORITY\",\"verdict\":1},{\"creationTime\":1714392575010,\"flsVerdict\":3,\"id\":17161845277298762182,\"imageHash\":\"445f5f38365af88ec29b357f4696f0e3ee50a1d8\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"pid\":2004,\"userName\":\"SYSTEM@NT AUTHORITY\",\"verdict\":1}],\"sessionUser\":\"SYSTEM@NT AUTHORITY\",\"time\":1714715982603,\"type\":\"RP1.1\",\"version\":\"1.1\"}","input":{"type":"filestream"},"tags":["beats_input_codec_plain_applied"],"host":{"os":{"type":"windows","name":"Windows 10 Pro","build":"19045.4291","kernel":"10.0.19041.4291 (WinBuild.160101.0800)","version":"10.0","platform":"windows","family":"windows"},"ip":["fe80::658:99ed:7bfb:613c","10.125.103.10"],"mac":["F8-BC-12-5D-C2-AD"],"name":"izdt-226","hostname":"izdt-226","id":"b6f1b6a5-2801-46b5-820d-369b087e23fb","architecture":"x86_64"}}

{"event":{"original":"{\"baseEventType\":1,\"baseType\":1,\"childProcess\":{\"cmdLine\":\"\\\"C:\\\\Program Files (x86)\\\\Google\\\\GoogleUpdater\\\\126.0.6441.0\\\\updater.exe\\\" --system --windows-service --service=update\",\"creationTime\":1714715982977,\"elevationType\":1,\"flsVerdict\":1,\"id\":3795433696027756646,\"imageHash\":\"fcb1003051d25cb9c9b6e6a4655ca0ca0d8afa8f\",\"imagePath\":\"C:\\\\Program Files (x86)\\\\Google\\\\GoogleUpdater\\\\126.0.6441.0\\\\updater.exe\",\"pid\":14016,\"scriptContent\":\"<undefined>\",\"verdict\":1},\"customerId\":\"\",\"deviceName\":\"IZDT-226\",\"endpointId\":\"\",\"eventType\":null,\"processes\":[{\"creationTime\":1714392570626,\"flsVerdict\":3,\"id\":13324682947529074784,\"imageHash\":\"2dfb00cd9a44a8a016452e1df01c0cec51870407\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\wininit.exe\",\"pid\":784,\"userName\":\"SYSTEM@NT AUTHORITY\",\"verdict\":1},{\"creationTime\":1714392570787,\"flsVerdict\":3,\"id\":7637858354080847475,\"imageHash\":\"e5704d8e560122c2a23de8912ae63b213d67c860\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"pid\":856,\"userName\":\"SYSTEM@NT AUTHORITY\",\"verdict\":1}],\"sessionUser\":\"SYSTEM@NT AUTHORITY\",\"time\":1714715983005,\"type\":\"RP1.1\",\"version\":\"1.1\"}"},"ecs":{"version":"8.0.0"},"log":{"offset":1255379,"file":{"path":"C:\\ProgramData\\edrsvc\\log\\output_events\\2024-05-03.log","idxhi":"2621440","idxlo":"145774","vol":"3301699515"}},"@version":"1","agent":{"id":"f6b16520-a6b8-43a2-8b9d-c06af5bfa8eb","type":"filebeat","version":"8.12.2","ephemeral_id":"7f9ba440-c182-40c1-9fdd-c08af9533820","name":"IZDT-226"},"@timestamp":"2024-05-03T05:59:43.144Z","message":"{\"baseEventType\":1,\"baseType\":1,\"childProcess\":{\"cmdLine\":\"\\\"C:\\\\Program Files (x86)\\\\Google\\\\GoogleUpdater\\\\126.0.6441.0\\\\updater.exe\\\" --system --windows-service --service=update\",\"creationTime\":1714715982977,\"elevationType\":1,\"flsVerdict\":1,\"id\":3795433696027756646,\"imageHash\":\"fcb1003051d25cb9c9b6e6a4655ca0ca0d8afa8f\",\"imagePath\":\"C:\\\\Program Files (x86)\\\\Google\\\\GoogleUpdater\\\\126.0.6441.0\\\\updater.exe\",\"pid\":14016,\"scriptContent\":\"<undefined>\",\"verdict\":1},\"customerId\":\"\",\"deviceName\":\"IZDT-226\",\"endpointId\":\"\",\"eventType\":null,\"processes\":[{\"creationTime\":1714392570626,\"flsVerdict\":3,\"id\":13324682947529074784,\"imageHash\":\"2dfb00cd9a44a8a016452e1df01c0cec51870407\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\wininit.exe\",\"pid\":784,\"userName\":\"SYSTEM@NT AUTHORITY\",\"verdict\":1},{\"creationTime\":1714392570787,\"flsVerdict\":3,\"id\":7637858354080847475,\"imageHash\":\"e5704d8e560122c2a23de8912ae63b213d67c860\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"pid\":856,\"userName\":\"SYSTEM@NT AUTHORITY\",\"verdict\":1}],\"sessionUser\":\"SYSTEM@NT AUTHORITY\",\"time\":1714715983005,\"type\":\"RP1.1\",\"version\":\"1.1\"}","input":{"type":"filestream"},"tags":["beats_input_codec_plain_applied"],"host":{"os":{"type":"windows","name":"Windows 10 Pro","build":"19045.4291","kernel":"10.0.19041.4291 (WinBuild.160101.0800)","version":"10.0","platform":"windows","family":"windows"},"ip":["fe80::658:99ed:7bfb:613c","10.125.103.10"],"mac":["F8-BC-12-5D-C2-AD"],"name":"izdt-226","hostname":"izdt-226","id":"b6f1b6a5-2801-46b5-820d-369b087e23fb","architecture":"x86_64"}}

The output is:

bin/logstash -f /etc/logstash/conf.d/openedr.conf 
Using bundled JDK: /usr/share/logstash/jdk
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_int
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_f
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2024-05-03 11:32:34.955 [main] runner - NOTICE: Running Logstash as superuser is not recommended and won't be allowed in the future. Set 'allow_superuser' to 'false' to avoid startup errors in future releases.
[INFO ] 2024-05-03 11:32:34.962 [main] runner - Starting Logstash {"logstash.version"=>"8.13.2", "jruby.version"=>"jruby 9.4.5.0 (3.1.4) 2023-11-02 1abae2700f OpenJDK 64-Bit Server VM 17.0.10+7 on 17.0.10+7 +indy +jit [x86_64-linux]"}
[INFO ] 2024-05-03 11:32:34.965 [main] runner - JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Dlogstash.jackson.stream-read-constraints.max-string-length=200000000, -Dlogstash.jackson.stream-read-constraints.max-number-length=10000, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED, -Dio.netty.allocator.maxOrder=11]
[INFO ] 2024-05-03 11:32:34.966 [main] runner - Jackson default value override `logstash.jackson.stream-read-constraints.max-string-length` configured to `200000000`
[INFO ] 2024-05-03 11:32:34.966 [main] runner - Jackson default value override `logstash.jackson.stream-read-constraints.max-number-length` configured to `10000`
[WARN ] 2024-05-03 11:32:35.126 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2024-05-03 11:32:35.567 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9601, :ssl_enabled=>false}
[INFO ] 2024-05-03 11:32:35.720 [Converge PipelineAction::Create<main>] Reflections - Reflections took 91 ms to scan 1 urls, producing 132 keys and 468 values
[INFO ] 2024-05-03 11:32:35.927 [Converge PipelineAction::Create<main>] jsonlines - ECS compatibility is enabled but `target` option was not specified. This may cause fields to be set at the top-level of the event where they are likely to clash with the Elastic Common Schema. It is recommended to set the `target` option to avoid potential schema conflicts (if your data is ECS compliant or non-conflicting, feel free to ignore this message)
[INFO ] 2024-05-03 11:32:35.954 [Converge PipelineAction::Create<main>] javapipeline - Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise.
[INFO ] 2024-05-03 11:32:35.980 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>500, "pipeline.sources"=>["/etc/logstash/conf.d/openedr.conf"], :thread=>"#<Thread:0x53ccb90e /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[INFO ] 2024-05-03 11:32:36.379 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>0.4}
[INFO ] 2024-05-03 11:32:36.384 [[main]-pipeline-manager] beats - Starting input listener {:address=>"0.0.0.0:5044"}
[INFO ] 2024-05-03 11:32:36.389 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2024-05-03 11:32:36.407 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[INFO ] 2024-05-03 11:32:36.452 [[main]<beats] Server - Starting server on port: 5044
[INFO ] 2024-05-03 11:33:26.227 [[main]>worker0] file - Opening file {:path=>"/tmp/logstash-raw-input.log"}
[INFO ] 2024-05-03 11:33:41.435 [[main]>worker2] file - Closing file /tmp/logstash-raw-input.log
[INFO ] 2024-05-03 11:33:54.147 [[main]>worker3] file - Opening file {:path=>"/tmp/logstash-raw-input.log"}
[INFO ] 2024-05-03 11:34:21.413 [[main]>worker1] file - Closing file /tmp/logstash-raw-input.log
[INFO ] 2024-05-03 11:37:29.887 [[main]>worker3] file - Opening file {:path=>"/tmp/logstash-raw-input.log"}
[INFO ] 2024-05-03 11:37:46.420 [[main]>worker1] file - Closing file /tmp/logstash-raw-input.log
[INFO ] 2024-05-03 11:38:20.961 [[main]>worker1] file - Opening file {:path=>"/tmp/logstash-raw-input.log"}
[INFO ] 2024-05-03 11:38:41.409 [[main]>worker3] file - Closing file /tmp/logstash-raw-input.log

it got stuck for some time and repeating the same one

sandraimmaculate · May 3, 2024, 12:32pm

i was trying
now i'm getting a new error if ran any pipeline

bin/logstash -f /etc/logstash/conf.d/openedr.conf --path.data /var/lib/logstash/
Using bundled JDK: /usr/share/logstash/jdk
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_int
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_f
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2024-05-03 17:59:08.700 [main] runner - NOTICE: Running Logstash as superuser is not recommended and won't be allowed in the future. Set 'allow_superuser' to 'false' to avoid startup errors in future releases.
[INFO ] 2024-05-03 17:59:08.708 [main] runner - Starting Logstash {"logstash.version"=>"8.13.2", "jruby.version"=>"jruby 9.4.5.0 (3.1.4) 2023-11-02 1abae2700f OpenJDK 64-Bit Server VM 17.0.10+7 on 17.0.10+7 +indy +jit [x86_64-linux]"}
[INFO ] 2024-05-03 17:59:08.711 [main] runner - JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Dlogstash.jackson.stream-read-constraints.max-string-length=200000000, -Dlogstash.jackson.stream-read-constraints.max-number-length=10000, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED, -Dio.netty.allocator.maxOrder=11]
[INFO ] 2024-05-03 17:59:08.713 [main] runner - Jackson default value override `logstash.jackson.stream-read-constraints.max-string-length` configured to `200000000`
[INFO ] 2024-05-03 17:59:08.713 [main] runner - Jackson default value override `logstash.jackson.stream-read-constraints.max-number-length` configured to `10000`
[WARN ] 2024-05-03 17:59:08.871 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[FATAL] 2024-05-03 17:59:08.879 [LogStash::Runner] runner - Logstash could not be started because there is already another instance using the configured data directory.  If you wish to run multiple instances, you must change the "path.data" setting.
[FATAL] 2024-05-03 17:59:08.882 [LogStash::Runner] Logstash - Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
	at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:808) ~[jruby.jar:?]
	at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:767) ~[jruby.jar:?]
	at usr.share.logstash.lib.bootstrap.environment.<main>(/usr/share/logstash/lib/bootstrap/environment.rb:90) ~[?:?]
root@freeipa:/usr/share/logstash#

leandrojmp · May 3, 2024, 12:50pm

It is what I mentioned a couple of posts before, you have another logstash instance running, you need to check your system for it, you cannot have two instances using the same data directory, this is what the error message is saying.

From the message you shared you juste need to have a json filter on the message field.

Try to use this pipeline, disabling the ecs_compatibility on the input so it will have just the message field and not the event.original as well.

input {
    beats {
        port => 5044
        ecs_compatibility => disabled
    }
}
filter {
    json {
        source => "message"
        target => "parsed_json"
        remove_field => ["message"]
    }
}
output {
    your output
}

sandraimmaculate · May 3, 2024, 1:22pm

for the above pipeline im getting below error in
logstash-plain.log

it showing Could not index event to Elasticsearch. {:status=>400, :action

im not able to see any logs in kibana<discover tab

log:
[2024-05-03T18:50:24,679][WARN ][logstash.outputs.elasticsearch][main][55c7f3bcf3bb2c1db9fd0fca65fb6fab703] **Could not index event to Elasticsearch. {:status=>400, :action**=>["index", {:_id=>nil, :_index=>"filebeat-8.12.2-2024.05.03", :routing=>nil}, {"service"=>{"type"=>"logstash"}, "agent"=>{"id"=>"f6b16520-a6b8-43a2-8b9d-c06af5bfa8eb", "version"=>"8.12.2", "ephemeral_id"=>"eea15e70-0bec-44b1-b1a2-2ef38469277e", "name"=>"IZDT-226", "type"=>"filebeat"}, "input"=>{"type"=>"log"}, "@version"=>"1", "ecs"=>{"version"=>"1.12.0"}, "tags"=>["beats_input_codec_plain_applied"], "host"=>{"ip"=>["fe80::658:99ed:7bfb:613c", "10.*.*.*"], "mac"=>["F-B-1-5-C-A"], "name"=>"idt-26", "hostname"=>"izdt-226", "architecture"=>"x86_64", "os"=>{"version"=>"10.0", "family"=>"windows", "kernel"=>"10.0.19041.4291 (WinBuild.160101.0800)", "name"=>"Windows 10 Pro", "build"=>"19045.4291", "type"=>"windows", "platform"=>"windows"}, "id"=>"b6f1b6a5-2801-46b5-820d-369b087e23fb"}, "parsed_json"=>{"eventType"=>nil, "deviceName"=>"IDT-26", "sessionUser"=>"Admin@IDT-26", "customerId"=>"", "processes"=>[{"flsVerdict"=>3, "imageHash"=>"2dfb00cd9aec51870407", "id"=>13324682947529074784, "creationTime"=>1714392570626, "imagePath"=>"C:\\Windows\\System32\\wininit.exe", "pid"=>784, "verdict"=>1, "userName"=>"SYSTEM@NT AUTHORITY"}, {"flsVerdict"=>3, "imageHash"=>"e5704de63b213d67c860", "id"=>7637858354080847475, "creationTime"=>1714392570787, "imagePath"=>"C:\\Windows\\System32\\services.exe", "pid"=>856, "verdict"=>1, "userName"=>"SYSTEM@NT AUTHORITY"}, {"flsVerdict"=>3, "imageHash"=>"445f5f38365af88ec29b357f4696f0e3ee50a1d8", "id"=>18274977973519874888, "creationTime"=>1714392574287, "imagePath"=>"C:\\Windows\\System32\\svchost.exe", "pid"=>580, "verdict"=>1, "userName"=>"SYSTEM@NT AUTHORITY"}], "type"=>"RP1.1", "endpointId"=>"", "time"=>1714742411320, "version"=>"1.1", "baseEventType"=>1, "childProcess"=>{"flsVerdict"=>3, "cmdLine"=>"C:\\Windows\\System32\\RuntimeBroker.exe -Embedding", "imageHash"=>"b0968cad070a6635b17", "id"=>15018702295694505716, "scriptContent"=>"<undefined>", "creationTime"=>1714742411304, "imagePath"=>"C:\\Windows\\System32\\RuntimeBroker.exe", "pid"=>11016, "verdict"=>1, "elevationType"=>3}, "baseType"=>1}, "event"=>{"module"=>"logstash", "original"=>"{\"baseEventType\":1,\"baseType\":1,\"childProcess\":{\"cmdLine\":\"C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe -Embedding\",\"creationTime\":1714742411304,\"elevationType\":3,\"flsVerdict\":3,\"id\":15018702295694505716,\"imageHash\":

pipeline :


input {
    beats {
        port => 5044
        ecs_compatibility => disabled
    }
}
filter {
    json {
        source => "message"
        target => "parsed_json"
        remove_field => ["message"]
    }
}
output {
  elasticsearch {
    hosts => ["https://ip-addr:9200"]
    user => "elastic"
    password => "passwd"
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    ssl_verification_mode => "full"
    ssl_certificate_authorities => "/etc/elasticsearch/certs/http_ca.crt"
    ssl_enabled => true
  }
}

sandraimmaculate · May 6, 2024, 4:58am

please suggest!

Rios · May 6, 2024, 11:51am

Not sure how the ES server certificate was issued, try with:
ssl_verification_mode => "none"

sandraimmaculate · May 6, 2024, 12:13pm

still i'm getting the same error
Could not index event to Elasticsearch. {:status=>400, :action
only for some pipeline not for all pipeline.

for the remaining pipeline the whole log entry is inside the message field

leandrojmp · May 6, 2024, 12:26pm

You need to share the complete log error, but this error normally happens when you have a mapping conflict, which means that some fields have a different mapping in elasticsearch.

sandraimmaculate · May 6, 2024, 12:31pm

if i see these type of log in logstash-plain.log then i will be not able to see any logs in kibana

[2024-05-06T17:44:49,381][WARN ][logstash.outputs.elasticsearch][main][1ba856ba7ebbe8abcacb2fcb410005a7dfa1e43e9163ba5bd0d3dccf4fba85d0] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"filebeat-8.12.2-2024.05.06", :routing=>nil}, {"tags"=>["beats_input_codec_plain_applied"], "parsed_json"=>{"childProcess"=>{"elevationType"=>1, "flsVerdict"=>3, "scriptContent"=>"<undefined>", "imagePath"=>"C:\\Windows\\System32\\gpupdate.exe", "verdict"=>1, "imageHash"=>"46e240cd883404b8632d91366fc75c76807bf973", "id"=>9055324701310984538, "pid"=>364, "creationTime"=>1714997674637, "cmdLine"=>"\"gpupdate.exe\" /target:computer"}, "eventType"=>nil, "processes"=>[{"flsVerdict"=>3, "imagePath"=>"C:\\Windows\\System32\\wininit.exe", "verdict"=>1, "imageHash"=>"2dfb00cd9a44a8a016452e1df01c0cec51870407", "id"=>13324682947529074784, "pid"=>784, "creationTime"=>1714392570626, "userName"=>"SYSTEM@NT AUTHORITY"}, {"flsVerdict"=>3, "imagePath"=>"C:\\Windows\\System32\\services.exe", "verdict"=>1, "imageHash"=>"e5704d8e560122c2a23de8912ae63b213d67c860", "id"=>7637858354080847475, "pid"=>856, "creationTime"=>1714392570787, "userName"=>"SYSTEM@NT AUTHORITY"}, {"flsVerdict"=>3, "imagePath"=>"C:\\Windows\\System32\\svchost.exe", "verdict"=>1, "imageHash"=>"445f5f38365af88ec29b357f4696f0e3ee50a1d8", "id"=>17161845277298762182, "pid"=>2004, "creationTime"=>1714392575010, "userName"=>"SYSTEM@NT AUTHORITY"}], "baseType"=>1, "sessionUser"=>"NETWORK SERVICE@NT AUTHORITY", "deviceName"=>"IZDT-226", "type"=>"RP1.1", "endpointId"=>"", "baseEventType"=>1, "time"=>1714997674676, "customerId"=>"", "version"=>"1.1"}, "host"=>{"os"=>{"kernel"=>"10.0.11.4291 (WinBuild.160101.0800)", "name"=>"Windows 10 Pro", "build"=>"19045.4291", "type"=>"windows", "version"=>"10.0", "platform"=>"windows", "family"=>"windows"}, "name"=>"izdt-226", "hostname"=>"idt-226", "id"=>"b6f1b6a5-2801-46b5-820d-369b087e23fb", "architecture"=>"x86_64", "ip"=>["fe80::658:99ed:7bfb:613c", "10.125.3.1"], "mac"=>["F8-BC-AD"]}, "@version"=>"1", "log"=>{"offset"=>1997354, "file"=>{"path"=>"C:\\ProgramData\\edrsvc\\log\\output_events\\2024-05-06.log", "idxhi"=>"8781824", "vol"=>"3301699515", "idxlo"=>"150728"}}, "@timestamp"=>2024-05-06T12:14:39.014Z, "input"=>{"type"=>"filestream"}, "agent"=>{"id"=>"f6b16520-a6b8-43a2-8b9d-c06af5bfa8eb", "type"=>"filebeat", "version"=>"8.12.2", "name"=>"IDT-226", "ephemeral_id"=>"eea15e70-0bec-44b1-b1a2-2ef38469277e"}, "event"=>{"original"=>"{\"baseEventType\":1,\"baseType\":1,\"childProcess\":{\"cmdLine\":\"\\\"gpupdate.exe\\\" /target:computer\",\"creationTime\":1714997674637,\"elevationType\":1,\"flsVerdict\":3,\"id\":9055324701310984538,\"imageHash\":\"46e240cd883404b8632d91366fc75c76807bf973\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\gpupdate.exe\",\"pid\":364,\"scriptContent\":\"<undefined>\",\"verdict\":1},\"customerId\":\"\",\"deviceName\":\"IZDT-226\",\"endpointId\":\"\",\"eventType\":null,\"processes\":[{\"creationTime\":1714392570626,\"flsVerdict\":3,\"id\":13324682947529074784,\"imageHash\":\"2dfb00cd9a44a8a016452e1df01c0cec51870407\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\wininit.exe\",\"pid\":784,\"userName\":\"SYSTEM@NT AUTHORITY\",\"verdict\":1},{\"creationTime\":1714392570787,\"flsVerdict\":3,\"id\":7637858354080847475,\"imageHash\":\"e5704d8e560122c2a23de8912ae63b213d67c860\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"pid\":856,\"userName\":\"SYSTEM@NT AUTHORITY\",\"verdict\":1},{\"creationTime\":1714392575010,\"flsVerdict\":3,\"id\":17161845277298762182,\"imageHash\":\"445f5f38365af88ec29b357f4696f0e3ee50a1d8\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"pid\":2004,\"userName\":\"SYSTEM@NT AUTHORITY\",\"verdict\":1}],\"sessionUser\":\"NETWORK SERVICE@NT AUTHORITY\",\"time\":1714997674676,\"type\":\"RP1.1\",\"version\":\"1.1\"}"}, "ecs"=>{"version"=>"8.0.0"}}], :response=>{"index"=>{"status"=>400, "error"=>{"type"=>"document_parsing_exception", "reason"=>"[1:534] **failed to parse field [parsed_json.processes.id] of type [long] in document with id** 'M83TTY8BArD3qwQr_Ewi'. Preview of field's value: '13324682947529074784'", "caused_by"=>{"type"=>"x_content_parse_exception", "reason"=>"[1:554] Numeric value (13324682947529074784) out of range of long (-9223372036854775808 - 9223372036854775807)\n at [Source: (byte[])\"{\"tags\":[\"beats_input_codec_plain_applied\"],\"parsed_json\":{\"childProcess\":{\"elevationType\":1,\"flsVerdict\":3,\"scriptContent\":\"<undefined>\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\gpupdate.exe\",\"verdict\":1,\"imageHash\":\"46e240cd883404b8632d91366fc75c76807bf973\",\"id\":9055324701310984538,\"pid\":364,\"creationTime\":1714997674637,\"cmdLine\":\"\\\"gpupdate.exe\\\" /target:computer\"},\"eventType\":null,\"processes\":[{\"flsVerdict\":3,\"imagePath\":\"C:\\\\Windows\\\\System32\\\\wininit.exe\",\"verdict\":1,\"imageHash\":\"2dfb00cd9a44a8\"[truncated 2977 bytes]; line: 1, column: 554]", "caused_by"=>{"type"=>"input_coercion_exception", "reason"=>"Numeric value (13324682947529074784) out of range of long (-9223372036854775808 - 9223372036854775807)\n at [Source: (byte[])\"{\"tags\":[\"beats_input_codec_plain_applied\"],\"parsed_json\":{\"childProcess\":{\"elevationType\":1,\"flsVerdict\":3,\"scriptContent\":\"<undefined>\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\gpupdate.exe\",\"verdict\":1,\"imageHash\":\"46e240cd883404b8632d91366fc75c76807bf973\",\"id\":9055324701310984538,\"pid\":364,\"creationTime\":1714997674637,\"cmdLine\":\"\\\"gpupdate.exe\\\" /target:computer\"},\"eventType\":null,\"processes\":[{\"flsVerdict\":3,\"imagePath\":\"C:\\\\Windows\\\\System32\\\\wininit.exe\",\"verdict\":1,\"imageHash\":\"2dfb00cd9a44a8\"[truncated 2977 bytes]; line: 1, column: 554]"}}}}}}

may i know how to set a correct mapping for this log entry. I have set the below mapping

PUT /_template/filebeat-template
{
  "index_patterns": ["filebeat*"],
  "mappings": {
    "properties": {
      "childProcess": {
        "properties": {
          "cmdLine": {"type": "text"},
          "creationTime": {"type": "date"},
          "elevationType": {"type": "text"},
          "flsVerdict": {"type": "text"},
          "id": {"type": "text"},
          "imageHash": {"type": "text"},
          "imagePath": {"type": "text"},
          "pid": {"type": "text"},
          "scriptContent": {"type": "text"},
          "verdict": {"type": "text"}
        }
      },
      "processes": {
        "type": "nested",
        "properties": {
          "creationTime": {"type": "date"},
          "flsVerdict": {"type": "text"},
          "id": {"type": "text"},
          "imageHash": {"type": "text"},
          "imagePath": {"type": "text"},
          "pid": {"type": "text"},
          "userName": {"type": "text"},
          "verdict": {"type": "text"}
        }
      }
    }
  }
}

leandrojmp · May 6, 2024, 12:41pm

Here is your error:

[1:534] failed to parse field [parsed_json.processes.id] of type [long] in document with id 'M83TTY8BArD3qwQr_Ewi'. Preview of field's value: '13324682947529074784'", "caused_by"=>{"type"=>"x_content_parse_exception", "reason"=>"[1:554] Numeric value (13324682947529074784) out of range of long (-9223372036854775808 - 9223372036854775807)

Your mapping is wrong because your fields are under a parsed_json, you need to fix the mappings to represente the exact structure of the document.

You need to add another level in your mapping, starting with parsed_json.

You will also need to create a new index with this mapping.

sandraimmaculate · May 6, 2024, 1:36pm

can you please provide how to do this i was trying i'm not getting perfect answer how to do! i have tired below one

PUT /_template/filebeat-template
{
  "index_patterns": ["filebeat*"],
  "mappings": {
    "properties": {
      "parsed_json": {
        "properties": {
          "baseEventType": {"type": "long"},
          "baseType": {"type": "long"},
          "childProcess": {
            "properties": {
              "cmdLine": {"type": "text"},
              "creationTime": {"type": "date"},
              "elevationType": {"type": "long"},
              "flsVerdict": {"type": "long"},
              "id": {"type": "long"},
              "imageHash": {"type": "text"},
              "imagePath": {"type": "text"},
              "pid": {"type": "long"},
              "scriptContent": {"type": "text"},
              "verdict": {"type": "long"}
            }
          },
          "customerId": {"type": "keyword"},
          "deviceName": {"type": "keyword"},
          "endpointId": {"type": "keyword"},
          "eventType": {"type": "keyword"},
          "processes": {
            "type": "nested",
            "properties": {
              "creationTime": {"type": "date"},
              "flsVerdict": {"type": "long"},
              "id": {"type": "long"},
              "imageHash": {"type": "text"},
              "imagePath": {"type": "text"},
              "pid": {"type": "long"},
              "userName": {"type": "keyword"},
              "verdict": {"type": "long"}
            }
          },
          "sessionUser": {"type": "keyword"},
          "time": {"type": "date"},
          "type": {"type": "keyword"},
          "version": {"type": "keyword"}
        }
      }
    }
  }
}

i didn't got the result. still the whole log is inside the message field

and i have a doubt why i need to create another index what about filebeat* i can modify filebeat* right?

Can you provide how to create a new index
i'm beginner to elk

sandraimmaculate · May 7, 2024, 5:00am

please suggest!

sandraimmaculate · May 7, 2024, 8:46am

i have created a new index

PUT /my_index
{
  "settings": {
    "number_of_shards": 1,
    "number_of_replicas": 0
  },
  "mappings": {
    "properties": {
      "baseEventType": {
        "type": "integer"
      },
      "baseType": {
        "type": "integer"
      },
      "childProcess": {
        "properties": {
          "cmdLine": {
            "type": "text"
          },
          "creationTime": {
            "type": "date"
          },
          "elevationType": {
            "type": "integer"
          },
          "flsVerdict": {
            "type": "integer"
          },
          "id": {
            "type": "long"
          },
          "imageHash": {
            "type": "keyword"
          },
          "imagePath": {
            "type": "keyword"
          },
          "pid": {
            "type": "integer"
          },
          "scriptContent": {
            "type": "text"
          },
          "verdict": {
            "type": "integer"
          }
        }
      },
      "customerId": {
        "type": "keyword"
      },
      "deviceName": {
        "type": "keyword"
      },
      "endpointId": {
        "type": "keyword"
      },
      "eventType": {
        "type": "keyword"
      },
      "processes": {
        "type": "nested",
        "properties": {
          "creationTime": {
            "type": "date"
          },
          "flsVerdict": {
            "type": "integer"
          },
          "id": {
            "type": "long"
          },
          "imageHash": {
            "type": "keyword"
          },
          "imagePath": {
            "type": "keyword"
          },
          "pid": {
            "type": "integer"
          },
          "userName": {
            "type": "keyword"
          },
          "verdict": {
            "type": "integer"
          }
        }
      },
      "sessionUser": {
        "type": "keyword"
      },
      "time": {
        "type": "date"
      },
      "type": {
        "type": "keyword"
      },
      "version": {
        "type": "keyword"
      }
    }
  }
}

with parsed_json

PUT /_index_template/my_index_template
{
  "index_patterns": ["my_index"], 
  "data_stream": {},
  "template": {
    "settings": {
      "number_of_shards": 1,
      "number_of_replicas": 0
    },
    "mappings": {
      "properties": {
        "parsed_json": {  // Assuming your fields are nested under a `parsed_json` field
          "properties": {
            "baseEventType": {
              "type": "integer"
            },
            "baseType": {
              "type": "integer"
            },
            "childProcess": {
              "properties": {
                "cmdLine": {
                  "type": "text"
                },
                "creationTime": {
                  "type": "date"
                },
                "elevationType": {
                  "type": "integer"
                },
                "flsVerdict": {
                  "type": "integer"
                },
                "id": {
                  "type": "long"
                },
                "imageHash": {
                  "type": "keyword"
                },
                "imagePath": {
                  "type": "keyword"
                },
                "pid": {
                  "type": "integer"
                },
                "scriptContent": {
                  "type": "text"
                },
                "verdict": {
                  "type": "integer"
                }
              }
            },
            "customerId": {
              "type": "keyword"
            },
            "deviceName": {
              "type": "keyword"
            },
            "endpointId": {
              "type": "keyword"
            },
            "eventType": {
              "type": "keyword"
            },
            "processes": {
              "type": "nested",
              "properties": {
                "creationTime": {
                  "type": "date"
                },
                "flsVerdict": {
                  "type": "integer"
                },
                "id": {
                  "type": "long"
                },
                "imageHash": {
                  "type": "keyword"
                },
                "imagePath": {
                  "type": "keyword"
                },
                "pid": {
                  "type": "integer"
                },
                "userName": {
                  "type": "keyword"
                },
                "verdict": {
                  "type": "integer"
                }
              }
            },
            "sessionUser": {
              "type": "keyword"
            },
            "time": {
              "type": "date"
            },
            "type": {
              "type": "keyword"
            },
            "version": {
              "type": "keyword"
            }
          }
        }
      }
    }
  }
}

now it has all the required fields what it is needed
here is my pipeline

cat openedr.conf 
input {
    beats {
        port => 5044
        ecs_compatibility => disabled
    }
}
filter {
    json {
        source => "message"
        target => "parsed_json"
        remove_field => ["message"]
    }
}
output {
  elasticsearch {
    hosts => ["https://ip-address:9200"]
    user => "elastic"
    password => "passwd"
    index => "my_index"
    ssl_verification_mode => "full"
    ssl_certificate_authorities => "/etc/elasticsearch/certs/http_ca.crt"
    ssl_enabled => true
  }
}

im not able to see logs in kibana > discover for that index all feilds are empty

[2024-05-07T13:09:15,170][WARN ][logstash.outputs.elasticsearch][main][6052cd2c09614adc099a18352c4307efc1ca2c35ffbf7b7ea6a659325ffabf67] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"my_index", :routing=>nil}, {"service"=>{"type"=>"logstash"}, "input"=>{"type"=>"log"}, "@version"=>"1", "agent"=>{"id"=>"f6b16520-a6b8-43a2-8b9d-c06af5bfa8eb", "version"=>"8.12.2", "ephemeral_id"=>"eea15e70-0bec-44b1-b1a2-2ef38469277e", "name"=>"IZDT-226", "type"=>"filebeat"}, "host"=>{"os"=>{"platform"=>"windows", "kernel"=>"10.0.19041.4291 (WinBuild.160101.0800)", "version"=>"10.0", "name"=>"Windows 10 Pro", "build"=>"19045.4291", "type"=>"windows", "family"=>"windows"}, "ip"=>["fe80::658:99ed:7bfb:613c", "10.125.1.0"], "mac"=>["F8-BC-12-AD"], "name"=>"izdt-226", "hostname"=>"it-226", "id"=>"b6f1b6a5-2801-46b5-820d-369b087e23fb", "architecture"=>"x86_64"}, "@timestamp"=>2024-05-07T07:38:57.247Z, "ecs"=>{"version"=>"1.12.0"}, "log"=>{"offset"=>1264614, "file"=>{"path"=>"C:\\ProgramData\\edrsvc\\log\\output_events\\2024-05-07.log"}}, "fileset"=>{"name"=>"log"}, "event"=>{"module"=>"logstash", "original"=>"{\"baseEventType\":1,\"baseType\":1,\"childProcess\":{\"cmdLine\":\"\\\"C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\\\" -contentproc --channel=7860 -childID 3394 -isForBrowser -prefsHandle 9252 -prefMapHandle 9356 -prefsLen 32640 -prefMapSize 250043 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240419144423 -win32kLockedDown -appDir \\\"C:\\\\Program Files\\\\Mozilla Firefox\\\\browser\\\" - {383ed037-1e9c-4766-a2b9-6ab6318934cc} 10452 \\\"\\\\\\\\.\\\\pipe\\\\gecko-crash-server-pipe.10452\\\" tab /prefetch:2\",\"creationTime\":1715067533284,\"elevationType\":3,\"flsVerdict\":1,\"id\":2167819567973198043,\"imageHash\":\"fb3c707fcfafb9190c892e0b7c3bb50a30ffc706\",\"imagePath\":\"C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\"pid\":10404,\"scriptContent\":\"<undefined>\",\"verdict\":1},\"customerId\":\"\",\"deviceName\":\"IT-226\",\"endpointId\":\"\",\"eventType\":null,\"processes\":[{\"creationTime\":1714392551294,\"flsVerdict\":3,\"id\":17055519350220007344,\"imageHash\":\"\",\"imagePath\":\"System\",\"pid\":4,\"userName\":\"SYSTEM@NT AUTHORITY\",\"verdict\":1},{\"creationTime\":1714392551296,\"flsVerdict\":3,\"id\":10484085230716227874,\"imageHash\":\"fc4b6f48a8a7ece73f1da2370d7b488820f10b0d\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\smss.exe\",\"pid\":512,\"userName\":\"SYSTEM@NT AUTHORITY\",\"verdict\":1},{\"creationTime\":1714393113631,\"flsVerdict\":3,\"id\":13679504117710993514,\"imageHash\":\"fc4b6f48a8a7ece73f1da2370d7b488820f10b0d\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\smss.exe\",\"pid\":9732,\"userName\":\"SYSTEM@NT AUTHORITY\",\"verdict\":1},{\"creationTime\":1714393113709,\"flsVerdict\":3,\"id\":13554967919231126822,\"imageHash\":\"875d495de7b1d41eee789f92ff1aaae2495b1419\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\winlogon.exe\",\"pid\":1652,\"userName\":\"SYSTEM@NT AUTHORITY\",\"verdict\":1},{\"creationTime\":1714393134549,\"flsVerdict\":3,\"id\":4120525655557887168,\"imageHash\":\"e5a153af6ab857fc4752a2bb008b435add5bf0b8\",\"imagePath\":\"C:\\\\Windows\\\\System32\\\\userinit.exe\",\"pid\":8084,\"userName\":\"Raghavendra@IZDT-226\",\"verdict\":1},{\"creationTime\":1714393134645,\"flsVerdict\":3,\"id\":8323067076655652240,\"imageHash\":\"61ee53287d7aa2abbf323cc04e4475ae07ed6e75\",\"imagePath\":\"C:\\\\Windows\\\\explorer.exe\",\"pid\":8256,\"userName\":\"Raghavendra@IZDT-226\",\"verdict\":1},{\"creationTime\":1714393173371,\"flsVerdict\":1,\"id\":993482044620317102,\"imageHash\":\"fb3c707fcfafb9190c892e0b7c3bb50a30ffc706\",\"imagePath\":\"C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\"pid\":14524,\"userName\":\"Raghavendra@IZDT-226\",\"verdict\":1},{\"creationTime\":1714393173646,\"flsVerdict\":1,\"id\":15755395494097282250,\"imageHash\":\"fb3c707fcfafb9190c892e0b7c3bb50a30ffc706\",\"imagePath\":\"C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\"pid\":14548,\"userName\":\"Raghavendra@IZDT-226\",\"verdict\":1},{\"creationTime\":1714393174882,\"flsVerdict\":1,\"id\":17932368954266111806,\"imageHash\":\"f342d1bbe8b0a941fab99916e0a536851feaa7b6\",\"imagePath\":\"C:\\\{"imageHash"=>"fb3c707fcfafb9190c892e0b7c3bb50a30ffc706", "verdict"=>1, "imagePath"=>"C:\\Program Files\\Mozilla Firefox\\firefox.exe", "id"=>15755395494097282250, "creationTime"=>1714393173646, "pid"=>14548, "userName"=>"Raghavendra@IT-226", "flsVerdict"=>1}, {"imageHash"=>"f342d1bbe8b0a941fab99916e0a536851feaa7b6", "verdict"=>1, "imagePath"=>"C:\\Program Files\\Mozilla Firefox\\updater.exe", "id"=>17932368954266111806, "creationTime"=>1714393174882, "pid"=>14696, "userName"=>"Raghavendra@It-226", "flsVerdict"=>1}, {"imageHash"=>"fb3c707fcfafb9190c892e0b7c3bb50a30ffc706", "verdict"=>1, "imagePath"=>"C:\\Program Files\\Mozilla Firefox\\firefox.exe", "id"=>6938495181008955520, "creationTime"=>1714393198884, "pid"=>14184, "userName"=>"Raghavendra@IT-226", "flsVerdict"=>1}, {"imageHash"=>"fb3c707fcfafb9190c892e0b7c3bb50a30ffc706", "verdict"=>1, "imagePath"=>"C:\\Program Files\\Mozilla Firefox\\firefox.exe", "id"=>11984015591290737252, "creationTime"=>1714393199477, "pid"=>10452, "userName"=>"Raghavendra@IT-226", "flsVerdict"=>1}], "childProcess"=>{"flsVerdict"=>1, "cmdLine"=>"\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -contentproc --channel=7860 -childID 3394 -isForBrowser -prefsHandle 9252 -prefMapHandle 9356 -prefsLen 32640 -prefMapSize 250043 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240419144423 -win32kLockedDown -appDir \"C:\\Program Files\\Mozilla Firefox\\browser\" - {383ed037-1e9c-4766-a2b9-6ab6318934cc} 10452 \"\\\\.\\pipe\\gecko-crash-server-pipe.10452\" tab /prefetch:2", "imageHash"=>"fb3c707fcfafb9190c892e0b7c3bb50a30ffc706", "imagePath"=>"C:\\Program Files\\Mozilla Firefox\\firefox.exe", "scriptContent"=>"<undefined>", "verdict"=>1, "id"=>2167819567973198043, "creationTime"=>1715067533284, "pid"=>10404, "elevationType"=>3}, "endpointId"=>""}}], :response=>{"index"=>{"status"=>400, "error"=>{"type"=>"document_parsing_exception", "reason"=>"[1:5039] failed to parse field [parsed_json.processes.id] of type [long] in document with id 'Fs3-UY8BArD3qwQrDVhY'. Preview of field's value: '17055519350220007344'", "caused_by"=>{"type"=>"x_content_parse_exception", "reason"=>"[1:5059] Numeric value (17055519350220007344) out of range of long (-9223372036854775808 - 9223372036854775807)\n at [Source: (byte[])\"{\"service\":{\"type\":\"logstash\"},\"input\":{\"type\":\"log\"},\"@version\":\"1\",\"agent\":{\"id\":\"f6b16520-a6b8-43a2-8b9d-c06af5bfa8eb\",\"version\":\"8.12.2\",\"ephemeral_id\":\"eea15e70-0bec-44b1-b1a2-2ef38469277e\",\"name\":\"IZDT-226\",\"type\":\"filebeat\"},\"host\":{\"os\":{\"platform\":\"windows\",\"kernel\":\"10.0.11.4291 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"name\":\"Windows 10 Pro\",\"build\":\"19045.4291\",\"type\":\"windows\",\"family\":\"windows\"},\"ip\":[\"fe80::658:99ed:7bfb:613c\",\"10.125.103.10\"],\"mac\":[\"F8-BC-12-q2-AD\"],\"name\"\"[truncated 7761 bytes]; line: 1, column: 5059]", "caused_by"=>{"type"=>"input_coercion_exception", "reason"=>"Numeric value (17055519350220007344) out of range of long (-9223372036854775808 - 9223372036854775807)\n at [Source: (byte[])\"{\"service\":{\"type\":\"logstash\"},\"input\":{\"type\":\"log\"},\"@version\":\"1\",\"agent\":{\"id\":\"f6b16520-a6b8-43a2-8b9d-c06af5bfa8eb\",\"version\":\"8.12.2\",\"ephemeral_id\":\"eea15e70-0bec-44b1-b1a2-2ef38469277e\",\"name\":\"IT-226\",\"type\":\"filebeat\"},\"host\":{\"os\":{\"platform\":\"windows\",\"kernel\":\"10.0.19041.4291 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"name\":\"Windows 10 Pro\",\"build\":\"19045.4291\",\"type\":\"windows\",\"family\":\"windows\"},\"ip\":[\"fe80::658:99ed:7bfb:613c\",\"10.12.1.1\"],\"mac\":[\"F8-BC-12-5D-C2-AD\"],\"name\"\"[truncated 7761 bytes]; line: 1, column: 5059]"}}}}}}

But for the below pipeline
cat /etc/logstash/conf.d/openedr.conf

# Beats -> Logstash -> Elasticsearch pipeline.

input {
  beats {
    port => 5044
  }
}

filter {
  json {
    source => "event.original"
    target => "parsed_event"
  }

  if [parsed_event] {
    mutate {
      add_field => { "customer_id" => "%{[parsed_event][customerId]}" }
      add_field => { "device_name" => "%{[parsed_event][deviceName]}" }
      add_field => { "base_event_type" => "%{[parsed_event][baseEventType]}" }
      add_field => { "base_type" => "%{[parsed_event][baseType]}" }
      add_field => { "session_user" => "%{[parsed_event][sessionUser]}" }
      add_field => { "event_type" => "%{[parsed_event][eventType]}" }
      add_field => { "version" => "%{[parsed_event][version]}" }
      # Add similar lines for other desired fields
    }
  }
}

output {
  elasticsearch {
    hosts => ["https://ip-addr:9200"]
    user => "elastic"
    password => "passwd"
    index => "my_index"
    ssl_verification_mode => "full"
    ssl_certificate_authorities => "/etc/elasticsearch/certs/http_ca.crt"
    ssl_enabled => true
  }
}

i'm not getting any error log or war log in logstash-plain.log file. And i'm not able to see any logs in kibana>discover also fields are empty

sandraimmaculate · May 7, 2024, 12:20pm

error"=>{"type"=>"document_parsing_exception", "reason"=>"[1:846] failed to parse field [parsed_json.processes.id] of type [long] in document

this was the error for the pipeline

input {
    beats {
        port => 5044
        ecs_compatibility => disabled
    }
}
filter {
    json {
        source => "message"
        target => "parsed_json"
        remove_field => ["message"]
    }
}
output {
    your output
}

i have changed the datatype of id in mapping from long to keyword
still i'm getting same
do i have to do anything??

leandrojmp · May 7, 2024, 12:53pm

Did you delete the old index and created a new one? The template is only applied when an index is created.

You need to create a new index.

sandraimmaculate · May 7, 2024, 12:56pm

yes i have created a new index
#index2

PUT /my_index1
{
  "settings": {
    "number_of_shards": 1,
    "number_of_replicas": 0
  },
  "mappings": {
    "properties": {
      "baseEventType": {
        "type": "integer"
      },
      "baseType": {
        "type": "integer"
      },
      "childProcess": {
        "properties": {
          "cmdLine": {
            "type": "text"
          },
          "creationTime": {
            "type": "date"
          },
          "elevationType": {
            "type": "integer"
          },
          "flsVerdict": {
            "type": "integer"
          },
          "id": {
            "type": "keyword"
          },
          "imageHash": {
            "type": "keyword"
          },
          "imagePath": {
            "type": "keyword"
          },
          "pid": {
            "type": "integer"
          },
          "scriptContent": {
            "type": "text"
          },
          "verdict": {
            "type": "integer"
          }
        }
      },
      "customerId": {
        "type": "keyword"
      },
      "deviceName": {
        "type": "keyword"
      },
      "endpointId": {
        "type": "keyword"
      },
      "eventType": {
        "type": "keyword"
      },
      "processes": {
        "type": "nested",
        "properties": {
          "creationTime": {
            "type": "date"
          },
          "flsVerdict": {
            "type": "integer"
          },
          "id": {
            "type": "keyword"
          },
          "imageHash": {
            "type": "keyword"
          },
          "imagePath": {
            "type": "keyword"
          },
          "pid": {
            "type": "integer"
          },
          "userName": {
            "type": "keyword"
          },
          "verdict": {
            "type": "integer"
          }
        }
      },
      "sessionUser": {
        "type": "keyword"
      },
      "time": {
        "type": "date"
      },
      "type": {
        "type": "keyword"
      },
      "version": {
        "type": "keyword"
      }
    }
  }
}


#mapping
PUT /_index_template/my_index_template
{
  "index_patterns": ["my_index"], 
  "data_stream": {},
  "template": {
    "settings": {
      "number_of_shards": 1,
      "number_of_replicas": 0
    },
    "mappings": {
      "properties": {
        "parsed_json": {  // Assuming your fields are nested under a `parsed_json` field
          "properties": {
            "baseEventType": {
              "type": "integer"
            },
            "baseType": {
              "type": "integer"
            },
            "childProcess": {
              "properties": {
                "cmdLine": {
                  "type": "text"
                },
                "creationTime": {
                  "type": "date"
                },
                "elevationType": {
                  "type": "integer"
                },
                "flsVerdict": {
                  "type": "integer"
                },
                "id": {
                  "type": "keyword"
                },
                "imageHash": {
                  "type": "keyword"
                },
                "imagePath": {
                  "type": "keyword"
                },
                "pid": {
                  "type": "integer"
                },
                "scriptContent": {
                  "type": "text"
                },
                "verdict": {
                  "type": "integer"
                }
              }
            },
            "customerId": {
              "type": "keyword"
            },
            "deviceName": {
              "type": "keyword"
            },
            "endpointId": {
              "type": "keyword"
            },
            "eventType": {
              "type": "keyword"
            },
            "processes": {
              "type": "nested",
              "properties": {
                "creationTime": {
                  "type": "date"
                },
                "flsVerdict": {
                  "type": "integer"
                },
                "id": {
                  "type": "keyword"
                },
                "imageHash": {
                  "type": "keyword"
                },
                "imagePath": {
                  "type": "keyword"
                },
                "pid": {
                  "type": "integer"
                },
                "userName": {
                  "type": "keyword"
                },
                "verdict": {
                  "type": "integer"
                }
              }
            },
            "sessionUser": {
              "type": "keyword"
            },
            "time": {
              "type": "date"
            },
            "type": {
              "type": "keyword"
            },
            "version": {
              "type": "keyword"
            }
          }
        }
      }
    }
  }
}

leandrojmp · May 7, 2024, 1:01pm

Remove this from your template, this will complicate things in this moment, use a normal index.

Then use this template:

PUT /_index_template/my_index_template
{
  "index_patterns": ["my_index"], 
  "template": {
    "settings": {
      "number_of_shards": 1,
      "number_of_replicas": 0
    },
    "mappings": {
      "properties": {
        "parsed_json": {  // Assuming your fields are nested under a `parsed_json` field
          "properties": {
            "baseEventType": {
              "type": "integer"
            },
            "baseType": {
              "type": "integer"
            },
            "childProcess": {
              "properties": {
                "cmdLine": {
                  "type": "text"
                },
                "creationTime": {
                  "type": "date"
                },
                "elevationType": {
                  "type": "integer"
                },
                "flsVerdict": {
                  "type": "integer"
                },
                "id": {
                  "type": "keyword"
                },
                "imageHash": {
                  "type": "keyword"
                },
                "imagePath": {
                  "type": "keyword"
                },
                "pid": {
                  "type": "integer"
                },
                "scriptContent": {
                  "type": "text"
                },
                "verdict": {
                  "type": "integer"
                }
              }
            },
            "customerId": {
              "type": "keyword"
            },
            "deviceName": {
              "type": "keyword"
            },
            "endpointId": {
              "type": "keyword"
            },
            "eventType": {
              "type": "keyword"
            },
            "processes": {
              "type": "nested",
              "properties": {
                "creationTime": {
                  "type": "date"
                },
                "flsVerdict": {
                  "type": "integer"
                },
                "id": {
                  "type": "keyword"
                },
                "imageHash": {
                  "type": "keyword"
                },
                "imagePath": {
                  "type": "keyword"
                },
                "pid": {
                  "type": "integer"
                },
                "userName": {
                  "type": "keyword"
                },
                "verdict": {
                  "type": "integer"
                }
              }
            },
            "sessionUser": {
              "type": "keyword"
            },
            "time": {
              "type": "date"
            },
            "type": {
              "type": "keyword"
            },
            "version": {
              "type": "keyword"
            }
          }
        }
      }
    }
  }
}

And in your logstash output use index => my_index, but before it confirm that my_index does not exists in your elasticsearch cluster yet.

sandraimmaculate · May 7, 2024, 1:03pm

thank you for you immediate response i will try the above one and let you know

sandraimmaculate · May 7, 2024, 1:18pm

thanks a lot, almost its working i'm able to see the logs parsed correctly in its own fields

but at the same time the whole log entry was inside the event.original field and also in parsed_json.processes field

what in the sense not all log entry but some log entries are repeated storing the values in event.original and parsed_json.processess

this is inside parsed_json.processess field

    "userName": [
      "Raghavendra@IT-226"
    ]
  },
  {
    "flsVerdict": [
      1
    ],
    "creationTime": [
      "2024-04-29T12:19:33.646Z"
    ],
    "imagePath": [
      "C:\\Program Files\\Mozilla Firefox\\firefox.exe"
    ],
    "verdict": [
      1
    ],
    "pid": [
      14548
    ],
    "id": [
      "15755395494097282250"
    ],
    "imageHash": [
      "fb3c707fcfafb9190c892e0b7c3bb50a30ffc706"
    ],
    "userName": [
      "Raghavendra@IT-226"
    ]
  },
  {
    "flsVerdict": [
      1
    ],
    "creationTime": [
      "2024-04-29T12:19:34.882Z"
    ],
    "imagePath": [
      "C:\\Program Files\\Mozilla Firefox\\updater.exe"
    ],
    "verdict": [
      1
    ],
    "pid": [
      14696
    ],
    "id": [
      "17932368954266111806"
    ],
    "imageHash": [
      "f342d1bbe8b0a941fab99916e0a536851feaa7b6"
    ],
    "userName": [
      "Raghavendra@IT-226"
    ]
  },
  {
    "flsVerdict": [
      1
    ],
    "creationTime": [
      "2024-04-29T12:19:58.884Z"
    ],
    "imagePath": [
      "C:\\Program Files\\Mozilla Firefox\\firefox.exe"
    ],
    "verdict": [
      1
    ],
    "pid": [
      14184
    ],
    "id": [
      "6938495181008955520"
    ],
    "imageHash": [
      "fb3c707fcfafb9190c892e0b7c3bb50a30ffc706"
    ],
    "userName": [
      "Raghavendra@IT-226"
    ]
  },
  {
    "flsVerdict": [
      1
    ],
    "creationTime": [
      "2024-04-29T12:19:59.477Z"
    ],
    "imagePath": [
      "C:\\Program Files\\Mozilla Firefox\\firefox.exe"
    ],
    "verdict": [
      1
    ],
    "pid": [
      10452
    ],
    "id": [
      "11984015591290737252"
    ],
    "imageHash": [
      "fb3c707fcfafb9190c892e0b7c3bb50a30ffc706"
    ],
    "userName": [
      "Raghavendra@IT-226"
    ]
  }
]

Topic		Replies	Views
'Index' json 'message' field without Logstash but within Filebeat? Filebeat > ES > Kibana Beats filebeat	2	292	April 1, 2022
Displaying the application log data in Kibana - Log file content field is missing in Elasticsearch Elasticsearch	2	817	January 19, 2022
Filebeat indexing on Windows Beats filebeat	4	665	July 18, 2017
Parse JSON data with filebeat Beats filebeat	8	59772	April 24, 2017
Confused about accessing "fields" in Kibana Kibana	2	411	January 2, 2020

The whole log of openedr is inside the message feild in kibana. Urgent!

Related topics