Type mismatch in AWS Cloudtrail logs
12 views
Skip to first unread message
Jeremy Utley
Oct 30, 2025, 11:54:01 AM (5 days ago) Oct 30
to Wazuh | Mailing List
Hello everyone!
I'm seeing some errors when Filebeat tries to write specific AWS Cloudtrail events to Opensearch. Take the following event:
{"timestamp":"2025-10-30T07:01:34.760+0000","rule":{"level":3,"description":"AWS Cloudtrail","id":"100324","firedtimes":2956,"mail":false,"groups":["custom_cloudtrail"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1761807694.1525912439","full_log":"{\"integration\": \"aws\", \"aws\": {\"log_info\": {\"aws_account_alias\": \"\", \"log_file\": \"Cloudtrail/AWSLogs/932612681020/CloudTrail/us-east-1/2025/10/30/932612681020_CloudTrail_us-east-1_20251030T0700Z_bQDaRCzxYfaypLVt.json.gz\", \"s3bucket\": \"cloudtrail-logs-97ae809d\"}, \"eventVersion\": \"1.10\", \"userIdentity\": {\"type\": \"AssumedRole\", \"principalId\": \"AROA5SJAMFU6DCLLOHGZ2:ConfigResourceCompositionSession\", \"arn\": \"arn:aws:sts::932612681020:assumed-role/AWSConfigRole/ConfigResourceCompositionSession\", \"accountId\": \"932612681020\", \"sessionContext\": {\"sessionIssuer\": {\"type\": \"Role\", \"principalId\": \"AROA5SJAMFU6DCLLOHGZ2\", \"arn\": \"arn:aws:iam::932612681020:role/AWSConfigRole\", \"accountId\": \"932612681020\", \"userName\": \"AWSConfigRole\"}, \"attributes\": {\"creationDate\": \"2025-10-30T06:57:08Z\", \"mfaAuthenticated\": \"false\"}}, \"invokedBy\": \"config.amazonaws.com\"}, \"eventTime\": \"2025-10-30T06:57:08Z\", \"eventSource\": \"ec2.amazonaws.com\", \"eventName\": \"DescribeTransitGateways\", \"awsRegion\": \"us-east-1\", \"sourceIPAddress\": \"config.amazonaws.com\", \"userAgent\": \"config.amazonaws.com\", \"requestParameters\": {\"DescribeTransitGatewaysRequest\": {\"Filter\": [{\"Value\": {\"tag\": 1, \"content\": 932612681020}, \"tag\": 1, \"Name\": \"owner-id\"}, {\"Value\": [{\"tag\": 1, \"content\": \"available\"}, {\"tag\": 2, \"content\": \"pending\"}], \"tag\": 2, \"Name\": \"state\"}], \"MaxResults\": 1000}}, \"requestID\": \"e5677675-8a09-44b8-b511-76e9047f113b\", \"eventID\": \"0dbbe55e-fd2b-4eb4-a908-769026ac08ab\", \"readOnly\": true, \"eventType\": \"AwsApiCall\", \"managementEvent\": true, \"recipientAccountId\": \"932612681020\", \"eventCategory\": \"Management\", \"source\": \"cloudtrail\", \"aws_account_id\": \"932612681020\"}}","decoder":{"name":"json"},"data":{"integration":"aws","aws":{"log_info":{"log_file":"Cloudtrail/AWSLogs/932612681020/CloudTrail/us-east-1/2025/10/30/932612681020_CloudTrail_us-east-1_20251030T0700Z_bQDaRCzxYfaypLVt.json.gz","s3bucket":"cloudtrail-logs-97ae809d"},"eventVersion":"1.10","userIdentity":{"type":"AssumedRole","principalId":"AROA5SJAMFU6DCLLOHGZ2:ConfigResourceCompositionSession","arn":"arn:aws:sts::932612681020:assumed-role/AWSConfigRole/ConfigResourceCompositionSession","accountId":"932612681020","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"AROA5SJAMFU6DCLLOHGZ2","arn":"arn:aws:iam::932612681020:role/AWSConfigRole","accountId":"932612681020","userName":"AWSConfigRole"},"attributes":{"creationDate":"2025-10-30T06:57:08Z","mfaAuthenticated":"false"}},"invokedBy":"config.amazonaws.com"},"eventTime":"2025-10-30T06:57:08Z","eventSource":"ec2.amazonaws.com","eventName":"DescribeTransitGateways","awsRegion":"us-east-1","sourceIPAddress":"config.amazonaws.com","userAgent":"config.amazonaws.com","requestParameters":{"DescribeTransitGatewaysRequest":{"Filter":[{"Value":{"tag":1,"content":932612681020},"tag":1,"Name":"owner-id"},{"Value":[{"tag":1,"content":"available"},{"tag":2,"content":"pending"}],"tag":2,"Name":"state"}],"MaxResults":"1000"}},"requestID":"e5677675-8a09-44b8-b511-76e9047f113b","eventID":"0dbbe55e-fd2b-4eb4-a908-769026ac08ab","readOnly":"true","eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"932612681020","eventCategory":"Management","source":"cloudtrail","aws_account_id":"932612681020"}},"location":"Wazuh-AWS"}
This generates the following error excerpt in Filebeat's log:
{"type":"illegal_argument_exception","reason":"mapper [data.aws.requestParameters.DescribeTransitGatewaysRequest.Filter.Value.content] cannot be changed from type [keyword] to [long]"}
According to the research I've done, this is occuring because the event has the "data.aws.requestParameters.DescribeTransitGatewaysRequest.Filter" key is actually a list. This list has one item where the "Value.content" is of type long, while in the other item, "Value" is again a list with 2 items, where the content is of type keyword. And since Opensearch tries to "flatten" lists, it comes up with a mismatched type.
Is that understanding correct?
Assuming so, probably the best solution for me would be to modify the Opensearch template to disable indexing on the "Filter" value, correct?
Thanks for any advice you can give me!
{"timestamp":"2025-10-30T07:01:34.760+0000","rule":{"level":3,"description":"AWS Cloudtrail","id":"100324","firedtimes":2956,"mail":false,"groups":["custom_cloudtrail"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1761807694.1525912439","full_log":"{\"integration\": \"aws\", \"aws\": {\"log_info\": {\"aws_account_alias\": \"\", \"log_file\": \"Cloudtrail/AWSLogs/932612681020/CloudTrail/us-east-1/2025/10/30/932612681020_CloudTrail_us-east-1_20251030T0700Z_bQDaRCzxYfaypLVt.json.gz\", \"s3bucket\": \"cloudtrail-logs-97ae809d\"}, \"eventVersion\": \"1.10\", \"userIdentity\": {\"type\": \"AssumedRole\", \"principalId\": \"AROA5SJAMFU6DCLLOHGZ2:ConfigResourceCompositionSession\", \"arn\": \"arn:aws:sts::932612681020:assumed-role/AWSConfigRole/ConfigResourceCompositionSession\", \"accountId\": \"932612681020\", \"sessionContext\": {\"sessionIssuer\": {\"type\": \"Role\", \"principalId\": \"AROA5SJAMFU6DCLLOHGZ2\", \"arn\": \"arn:aws:iam::932612681020:role/AWSConfigRole\", \"accountId\": \"932612681020\", \"userName\": \"AWSConfigRole\"}, \"attributes\": {\"creationDate\": \"2025-10-30T06:57:08Z\", \"mfaAuthenticated\": \"false\"}}, \"invokedBy\": \"config.amazonaws.com\"}, \"eventTime\": \"2025-10-30T06:57:08Z\", \"eventSource\": \"ec2.amazonaws.com\", \"eventName\": \"DescribeTransitGateways\", \"awsRegion\": \"us-east-1\", \"sourceIPAddress\": \"config.amazonaws.com\", \"userAgent\": \"config.amazonaws.com\", \"requestParameters\": {\"DescribeTransitGatewaysRequest\": {\"Filter\": [{\"Value\": {\"tag\": 1, \"content\": 932612681020}, \"tag\": 1, \"Name\": \"owner-id\"}, {\"Value\": [{\"tag\": 1, \"content\": \"available\"}, {\"tag\": 2, \"content\": \"pending\"}], \"tag\": 2, \"Name\": \"state\"}], \"MaxResults\": 1000}}, \"requestID\": \"e5677675-8a09-44b8-b511-76e9047f113b\", \"eventID\": \"0dbbe55e-fd2b-4eb4-a908-769026ac08ab\", \"readOnly\": true, \"eventType\": \"AwsApiCall\", \"managementEvent\": true, \"recipientAccountId\": \"932612681020\", \"eventCategory\": \"Management\", \"source\": \"cloudtrail\", \"aws_account_id\": \"932612681020\"}}","decoder":{"name":"json"},"data":{"integration":"aws","aws":{"log_info":{"log_file":"Cloudtrail/AWSLogs/932612681020/CloudTrail/us-east-1/2025/10/30/932612681020_CloudTrail_us-east-1_20251030T0700Z_bQDaRCzxYfaypLVt.json.gz","s3bucket":"cloudtrail-logs-97ae809d"},"eventVersion":"1.10","userIdentity":{"type":"AssumedRole","principalId":"AROA5SJAMFU6DCLLOHGZ2:ConfigResourceCompositionSession","arn":"arn:aws:sts::932612681020:assumed-role/AWSConfigRole/ConfigResourceCompositionSession","accountId":"932612681020","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"AROA5SJAMFU6DCLLOHGZ2","arn":"arn:aws:iam::932612681020:role/AWSConfigRole","accountId":"932612681020","userName":"AWSConfigRole"},"attributes":{"creationDate":"2025-10-30T06:57:08Z","mfaAuthenticated":"false"}},"invokedBy":"config.amazonaws.com"},"eventTime":"2025-10-30T06:57:08Z","eventSource":"ec2.amazonaws.com","eventName":"DescribeTransitGateways","awsRegion":"us-east-1","sourceIPAddress":"config.amazonaws.com","userAgent":"config.amazonaws.com","requestParameters":{"DescribeTransitGatewaysRequest":{"Filter":[{"Value":{"tag":1,"content":932612681020},"tag":1,"Name":"owner-id"},{"Value":[{"tag":1,"content":"available"},{"tag":2,"content":"pending"}],"tag":2,"Name":"state"}],"MaxResults":"1000"}},"requestID":"e5677675-8a09-44b8-b511-76e9047f113b","eventID":"0dbbe55e-fd2b-4eb4-a908-769026ac08ab","readOnly":"true","eventType":"AwsApiCall","managementEvent":"true","recipientAccountId":"932612681020","eventCategory":"Management","source":"cloudtrail","aws_account_id":"932612681020"}},"location":"Wazuh-AWS"}
This generates the following error excerpt in Filebeat's log:
{"type":"illegal_argument_exception","reason":"mapper [data.aws.requestParameters.DescribeTransitGatewaysRequest.Filter.Value.content] cannot be changed from type [keyword] to [long]"}
According to the research I've done, this is occuring because the event has the "data.aws.requestParameters.DescribeTransitGatewaysRequest.Filter" key is actually a list. This list has one item where the "Value.content" is of type long, while in the other item, "Value" is again a list with 2 items, where the content is of type keyword. And since Opensearch tries to "flatten" lists, it comes up with a mismatched type.
Is that understanding correct?
Assuming so, probably the best solution for me would be to modify the Opensearch template to disable indexing on the "Filter" value, correct?
Thanks for any advice you can give me!
Jeremy Utley
Gastón Maximiliano Ibarra
Oct 30, 2025, 12:33:39 PM (5 days ago) Oct 30
to Wazuh | Mailing List
Hi Jeremy,
The issue you're encountering stems from a data type mapping conflict in OpenSearch. Specifically, the "illegal_argument_exception" error is triggered because the field `data.aws.requestParameters.DescribeTransitGatewaysRequest.Filter.Value.content` contains inconsistent data types within the AWS CloudTrail event you're trying to index.
To break it down step by step:
- The `Filter` field is an array (list) that holds multiple elements.
- In one element, `Value` is an object where `content` is a numeric value (treated as a "long" type, such as the account ID 932612681020).
- In another element, `Value` is itself an array containing multiple objects, where each `content` is a string (treated as a "keyword" type, like "available" or "pending").
OpenSearch attempts to "flatten" these nested structures for uniform indexing, but when it encounters a number in one spot and text in another under the same path, it results in a type mismatch. Once a field is mapped as one type (e.g., keyword), it can't be dynamically changed to another (e.g., long), leading to the error.
This is a common challenge with dynamic data sources like AWS events, where structures can vary by event type. Your initial understanding is spot on: it's due to the inconsistency in the array and OpenSearch's flattening behavior.
As a solution, yes, disabling indexing on that field (e.g., by setting `"enabled": false` in your OpenSearch template for `requestParameters` or specifically for `Filter`) is a solid approach if you don't need to search or filter on those values. Alternatively, mapping it as a "flattened" type allows handling variable structures without conflicts, preserving some query capabilities.
Please let us know if you need more support on this, we are glad to help you.
Max
Wazuh
The issue you're encountering stems from a data type mapping conflict in OpenSearch. Specifically, the "illegal_argument_exception" error is triggered because the field `data.aws.requestParameters.DescribeTransitGatewaysRequest.Filter.Value.content` contains inconsistent data types within the AWS CloudTrail event you're trying to index.
To break it down step by step:
- The `Filter` field is an array (list) that holds multiple elements.
- In one element, `Value` is an object where `content` is a numeric value (treated as a "long" type, such as the account ID 932612681020).
- In another element, `Value` is itself an array containing multiple objects, where each `content` is a string (treated as a "keyword" type, like "available" or "pending").
OpenSearch attempts to "flatten" these nested structures for uniform indexing, but when it encounters a number in one spot and text in another under the same path, it results in a type mismatch. Once a field is mapped as one type (e.g., keyword), it can't be dynamically changed to another (e.g., long), leading to the error.
This is a common challenge with dynamic data sources like AWS events, where structures can vary by event type. Your initial understanding is spot on: it's due to the inconsistency in the array and OpenSearch's flattening behavior.
As a solution, yes, disabling indexing on that field (e.g., by setting `"enabled": false` in your OpenSearch template for `requestParameters` or specifically for `Filter`) is a solid approach if you don't need to search or filter on those values. Alternatively, mapping it as a "flattened" type allows handling variable structures without conflicts, preserving some query capabilities.
Please let us know if you need more support on this, we are glad to help you.
Max
Wazuh
Reply all
Reply to author
Forward
0 new messages