Winlogbeat event_data.param17 format change with MapperParsingException

Hi

I am using Winlogbeat 5.x to collect Windows Logs. Lately I have been having an issue with a particular field in the event_data. Specically event_data.param17. This field is used by various event sources to contain data of different kinds. Sometimes it a date field and something is a filename field and so on.

Today I had a lot of exceptions where ElasticSearch thought is a date field. However it actually contained a SID field like "S-1-5-11". This caused a lot of MapperParsingException. These exception caused the whole cluster to stop for minutes of a time. It restarted itself , but it is very annoying to have indexing stop.

I have the 5.0.2 winlogbeat template installed. So I assumed that all fields would be a keyword type field. However in todays index , this particular was of type date. The rest of the param field was keyword as expected.

Anyone seen this ? Known problem ?

Regards
Kim

The template was setup to mark those fields as keyword, but we didn't disable the date detection in the template so you get this problem. It's fixed in Winlogbeat 5.3+.

Hi Andrew

Excellent, I will install updated templates , thnx for speedy assistance

Regards
Kim

This topic was automatically closed after 21 days. New replies are no longer allowed.