Winlogbeat to Logstash to Elasticsearch error

theflakes · August 7, 2016, 9:48pm

I have a Win2012 R2 Server sending logs to to logstash via Winlogbeat. I see the logs in the logstash.log file but each gets the below error.

:response=>{"index"=>{"_index"=>"winlogbeat-2016.08.07", "_type"=>"wineventlog", "_id"=>nil, "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"Failed to parse mapping [default]: No handler for type [keyword] declared on field [related_activity_id]", "caused_by"=>{"type"=>"mapper_parsing_exception", "reason"=>"No handler for type [keyword] declared on field [related_activity_id]"}}}}, :level=>:warn}

I'm new to the ELK stack and have searched and tried many things to fix this with no luck. I think I have the winlogbeat template imported into elasticsearch ok as I see both the filebeat and the winlogbeat template when I query it on port 9200.

ELK stack is running on Ubuntu 14.04 LTS and using Winlogbeat v1.2.3.

Any help would be very much appreciated.

theflakes · August 7, 2016, 10:19pm

Figured it out. The filebeat template was causing the problem as it was using the type:keyword that isn't supported in the version of ES I'm running.

Deleted it and it is now working as expected.

curl -XDELETE localhost:9200/_template/filebeat

Topic		Replies	Views
Logstash Failed to parse with all enclosed parsers Logstash	2	1588	November 30, 2020
Metricbeat -> LS -> ES, template error [SOLVED] Logstash	5	1969	July 6, 2017
Failed to load temp Beats metricbeat	3	945	November 10, 2016
Mapper Parsing Exeception after Upgrade to 6.2.2 Beats winlogbeat	2	739	April 9, 2018
Issues manually loading a template to ES Elasticsearch	2	1166	July 5, 2017

Winlogbeat to Logstash to Elasticsearch error

Related topics