We are currently on 16.04 and planning the v2.3 update for the new year and carried out the latest 16.04 update across our distributed environment today using the standard soup method. All appeared to go okay with the master update, the new kibana dashboard looked pretty fast and after an so-status everything was in an OK state so continued with the updates to the other nodes. After completing those and rebooting I returned to the master server to find Logstash was now showing FAIL and looking at logstah.log I can see multiple of the following errors before it gives up and shuts it down:
[2020-12-03T07:28:15,996][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-bro-2020.12.03", :routing=>nil, :_type=>"_doc"}, #LogStash::Event:0x342c2a26], :response=>{"index"=>{"_index"=>"logstash-bro-2020.12.03", "_type"=>"_doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"Failed to parse mapping [doc]: mapper [destination_geo.latitude] cannot be changed from type [long] to [half_float]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [destination_geo.latitude] cannot be changed from type [long] to [half_float]"}}}}}
[
I noticed the update has made a change to the mapping in /etc/logstash/logstash-template.json which removed some components that refer to destination_geo.latitude so attempted to swap the backed up version back in and restarting it to see if that made any difference but no go so have put it back.
During one of the other machine updates I did notice au.archive.ubuntu.com (seemed to be down temporarily) was not contactable and caused a bunch of errors so I re-ran soup on that machine after it came back up, I'm not getting any logstash errors on that machine or the other node only the master. I didnt notice any issues during the Master update but just to be sure given what I saw on one of the nodes I reran soup on it and it there was nothing more it did other than do a clean up.
Any help would be much appreciated.
James
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/21c93ecf-8a06-4d71-ae0c-630ff21b8cc1n%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/2a83a90f-0022-4597-919e-7d9021746d81n%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/e25eb1ed-bbfe-41c0-94de-17a23aef6181n%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/aa89158c-fe14-43d4-93bd-1e3c5ed511d7n%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAJ%2BhwWDdNDBz837qepQSNaVbhDDBY37J9uqcKeuHvkbXLC7JLQ%40mail.gmail.com.