Constantly Getting Field Errors Shares Are Failing
530 views
Skip to first unread message
Matthew M.
Feb 25, 2020, 5:38:26 PM2/25/20
to Wazuh mailing list
After moving everything through LogStash to get all Wazuh agent data into ElasticSearch and creating a cluster I am now getting failures on all of my shards.
It seems like these Date/Time fields are getting mapped to keywords. How do I dynamically correct this so I do not have to fix it every time a new entry gets created?
This is the info from the log
indices:data/read/search[phase/fetch/id]]Caused by: java.lang.IllegalArgumentException: Field [data.FilteringDate] of type [keyword] does not support custom formats
[indices:data/read/search[phase/fetch/id]]Caused by: java.lang.IllegalArgumentException: Field [winlog.event_data.DeviceTime] of type [keyword] does not support custom formats
It seems like these Date/Time fields are getting mapped to keywords. How do I dynamically correct this so I do not have to fix it every time a new entry gets created?
This could have also resulted form the update from Elastic 7.5 to 7.6
Jesus Linares
Mar 13, 2020, 6:52:06 AM3/13/20
to Wazuh mailing list
Hi Matthew,
Sorry for the late reply. This looks like an issue with the index template. Both fields (data.FilteringDate and winlog.event_data.DeviceTime) are dates and the format is not supported in a keyword.
I recommend adding the fields to the Wazuh template in Elasticsearch. Here you have a similar issue: https://github.com/wazuh/wazuh-kibana-app/issues/1951 that was fixed by adding the fields to the template: https://github.com/wazuh/wazuh/pull/4356/files
I hope it helps.
Matthew M.
Mar 13, 2020, 2:31:50 PM3/13/20
to Wazuh mailing list
Jesus,
Yea, I finally decided to reload the Wazuh template. Somehow when I upgraded from 7.5 to 7.6 the template went completely blank. I've not reloaded it and customized the template appropriately and everything seems to be working better. I continued to have issues with Keywords and other fields so I had to make a customized Logstash config and change the template around before it started working properly.
Now that I've done that I haven't had any more errors, however I am running into issues with ILM that I'm trying to resolve that I will create another thread for if I can't find a solution.
Thanks.
Jesus Linares
Mar 19, 2020, 5:14:00 AM3/19/20
to Wazuh mailing list
Hi Matthew,
I'm glad you solved your issue. Please, feel free to create another thread if you need more help with any topic.
Regarding ILM, we will publish a post on our blog soon.
Regards.
Reply all
Reply to author
Forward
0 new messages