Winlogbeat to Logstash to Elasticsearch error

theflakes · August 7, 2016, 9:48pm

I have a Win2012 R2 Server sending logs to to logstash via Winlogbeat. I see the logs in the logstash.log file but each gets the below error.

:response=>{"index"=>{"_index"=>"winlogbeat-2016.08.07", "_type"=>"wineventlog", "_id"=>nil, "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"Failed to parse mapping [default]: No handler for type [keyword] declared on field [related_activity_id]", "caused_by"=>{"type"=>"mapper_parsing_exception", "reason"=>"No handler for type [keyword] declared on field [related_activity_id]"}}}}, :level=>:warn}

I'm new to the ELK stack and have searched and tried many things to fix this with no luck. I think I have the winlogbeat template imported into elasticsearch ok as I see both the filebeat and the winlogbeat template when I query it on port 9200.

ELK stack is running on Ubuntu 14.04 LTS and using Winlogbeat v1.2.3.

Any help would be very much appreciated.

theflakes · August 7, 2016, 10:19pm

Figured it out. The filebeat template was causing the problem as it was using the type:keyword that isn't supported in the version of ES I'm running.

Deleted it and it is now working as expected.

curl -XDELETE localhost:9200/_template/filebeat

Topic		Replies	Views
Metricbeat -> LS -> ES, template error [SOLVED] Logstash	5	1969	July 6, 2017
Failed to load temp Beats metricbeat	3	945	November 10, 2016
Winlogbeat 1.x works fine but can't get 5 up Beats winlogbeat	2	791	December 14, 2016
Filebeat giving "mapper_parsing_exception error Beats filebeat	2	791	May 7, 2018
Winlogbeat - Event Tagging and Overriding 'type' in Logstash Beats winlogbeat	3	3358	April 12, 2016

Winlogbeat to Logstash to Elasticsearch error

Related Topics