Error sending log from FIlebeat to Logstash in Cluser Environment

[Stefano Serano]

Hi.

In my new cluster environment i've this problem:

Filebeat from node 2 try to send log to Master, but logstash refued it with this error:

Could not index event to Elasticsearch. {:status=>400, :action=>["index", 

{:_id=>nil, :_index=>"wazuh-alerts-3.x-2020.02.03", :_type=>"_doc", :routing=>nil}, 

#<LogStash::Event:0xcdc351a>], :response=>{"index"=>{"_index"=>"wazuh-alerts-3.x-2020.02.03", 

"_type"=>"_doc", "_id"=>"jAMzC3ABVXEiUeDeH4cW", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", 

"reason"=>"failed to parse field [host] of type [keyword] in document with id 'jAMzC3ABVXEiUeDeH4cW'. Preview of field's value: 

'{name=ossec-nodo2}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:478"}}}}}

I need to maintain Logstash because i've configured some filters, attached to this mail you can see my Filebeat and Logstash config file, hope this help.

[Antonio PV]

Hi Stefano,

The problem seems to be that your logs have the host used as other type of variable.

You can avoid that posting a mutate for logstash.

mutate { rename => ["host", "server"] convert => {"server" => "string"} }

I saw that in your logstash configuration you are missing some of our configuration.

Here you can find our template in case you want to update it. Which version of elasticsearch are you using?

If you are using the version 6.8.6 or below you can use this configuration that you will find in this template. You can copy that configuration to your 01-wazuh.conf.

https://raw.githubusercontent.com/wazuh/wazuh/v3.11.3/extensions/logstash/6.x/01-wazuh-remote.conf

Regards.

 

[Stefano Serano]

Hi antonio.

Thank for your help, now all work fine.

I'm using Elastic version 7.3.2, which template can i use?

Have a nice day and thank again.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/-d5ibEpPwoQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b3aba5ef-be7b-46fd-be9b-5c4743deab20%40googlegroups.com.

[Antonio PV]

Hi Stefano,

I´m glad to hear that helped.

If you are in the version 7.3.2, the use of Logstash is no longer required, however if you have to use it because your custom configuration then you shouldn´t take our templates.

Our templates are focused on Filebeat in the 7.* ELK versions, to avoid the use of Logstash.

So if you are going to use Logstash anyway then just continue with your current configuration.

Regards.