Transfer Docker log with gelf：Could not index event to Elasticsearch

CCH0124 · July 13, 2018, 12:37am

Logstash has the following error

[2018-07-13T00:28:09,022][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"filebeat-gelf-docker-2018.07.13", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x44cb3a00>], :response=>{"index"=>{"_index"=>"filebeat-gelf-docker-2018.07.13", "_type"=>"doc", "_id"=>"vswJkWQBs0A5FeImsam8", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [host] tried to parse field [host] as object, but found a concrete value"}}}}

Logstash configuration

input {
        gelf {
                type => docker
                host => "0.0.0.0"
                port => 12201
        }

}

#filter{
#       if [tag] == "nginx" {

#       }
#}
## Add your filters / logstash plugins configuration here

output {
        elasticsearch {
                hosts => "elasticsearch:9200"
                manage_template => false
                index => "filebeat-gelf-docker-%{+YYYY.MM.dd}"
        }
}

docker logging
There is a gelf port configured in logstahs

...
   wordpress:
     image: wordpress:latest
     ports:
       - "8000:80"
     environment:
       WORDPRESS_DB_HOST: db:3306
       WORDPRESS_DB_USER: wordpress
       WORDPRESS_DB_PASSWORD: wordpress
     logging:
       driver: gelf
       options:
         gelf-address: "udp://0.0.0.0:12201"
         tag: wordpress
     depends_on:
       - db
     restart: always
     networks:
       - mysql
       - proxy
...

magnusbaeck · July 13, 2018, 2:59pm

This has come up several times before, including as recently as yesterday. Please google the error message ("object mapping for [host] tried to parse field [host] as object, but found a concrete value").

system · August 10, 2018, 2:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.