Hi
I am using Winlogbeat 5.x to collect Windows Logs. Lately I have been having an issue with a particular field in the event_data. Specically event_data.param17. This field is used by various event sources to contain data of different kinds. Sometimes it a date field and something is a filename field and so on.
Today I had a lot of exceptions where ElasticSearch thought is a date field. However it actually contained a SID field like "S-1-5-11". This caused a lot of MapperParsingException. These exception caused the whole cluster to stop for minutes of a time. It restarted itself , but it is very annoying to have indexing stop.
I have the 5.0.2 winlogbeat template installed. So I assumed that all fields would be a keyword type field. However in todays index , this particular was of type date. The rest of the param field was keyword as expected.
Anyone seen this ? Known problem ?
Regards
Kim