WInlogbeats Error after upgrade

Elk_huh · April 13, 2020, 3:20pm

Hi everyone i upgraded from 6.2.4 winlogbeats to 6.8

Same exact configs, same logstash conf file

I now get this error any ideas ?

[2020-04-13T11:18:30,467][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"winevents-domain-controllers-2020.04.13", :_type=>"doc", :routing=>nil}, #LogStash::Event:0x6d25b8b3], :response=>{"index"=>{"_index"=>"winevents-domain-controllers-2020.04.13", "_type"=>"doc", "_id"=>"PtUedHEBacbM0UXs2o7Z", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [host] of type [keyword] in document with id 'PtUedHEBacbM0UXs2o7Z'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:978"}}}}}

MarianaD · April 22, 2020, 2:06pm

hi @Elk_huh,

It looks like your index was created with a new version of Beats that is implementing the ECS but the Logstash output isn't aware of it. (https://www.elastic.co/guide/en/beats/winlogbeat/6.8/exported-fields-host-processor.html)

Can you try the following:

ECS has a host.name field, which corresponds to the host name being output from Logstash. By adding a Mutate filter with a rename directive, you can move the host field to host.name with the field-reference syntax as below to align with the schema that you already have in Elasticsearch:

filter {
  mutate {
    rename {
      "[host]" => "[host][name]"
    }
  }
}

Let us know if that worked in your case.

system · May 20, 2020, 2:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.