CloudTrail to CloudWatch Issues

[danielcbright]

Hi,

I'm setting this up manually and trying to point it at our existing ES cluster (not using Amazon ES). I have CloudTrail logging to CloudWatch and a subscription from Kinesis and all that is working great, the consumer connects to Kinesis fine too, that's not the issue.

The issue I'm seeing is this:

I get these WARN and ERROR messages from the logs about the nested JSON array that is returned with the requestParameters field:

2015-10-30 19:12:46,022 WARN  ElasticsearchEmitter - Returning 1 records as failed
2015-10-30 19:12:56,028 ERROR ElasticsearchEmitter - Record failed with message: MapperParsingException[failed to parse [requestParameters.iamInstanceProfile]]; nested: ElasticsearchIllegalArgumentException[unknown property [arn]];

In Elasticsearch, I do get data, but it looks like it's coming in as bulk, and the JSON isn't being parsed properly (I've cut this output down a lot for readability):

failed to execute bulk item (index) index {[cwl-2015.10.30][CloudTrail [3225203955xxxxxxxxxxxxxxxxxxxx1130203408060579867], source[{"eventID":"e95e5.....
.....06xx","@owner":"xxxxxxxxxxxxxx","@id":"322xxxxxxxxxxxxxxxxxxxxxxx071130203408060579867"}]}
org.elasticsearch.index.mapper.MapperParsingException: failed to parse [requestParameters.iamInstanceProfile]
at org.elasticsearch.index.mapper.core.AbstractFieldMapper.parse(AbstractFieldMapper.java:411)
at org.elasticsearch.index.mapper.object.ObjectMapper.serializeObject(ObjectMapper.java:554)
at org.elasticsearch.index.mapper.object.ObjectMapper.parse(ObjectMapper.java:487)
at org.elasticsearch.index.mapper.object.ObjectMapper.serializeObject(ObjectMapper.java:554)
at org.elasticsearch.index.mapper.object.ObjectMapper.parse(ObjectMapper.java:487)
at org.elasticsearch.index.mapper.DocumentMapper.parse(DocumentMapper.java:544)
at org.elasticsearch.index.mapper.DocumentMapper.parse(DocumentMapper.java:493)
at org.elasticsearch.index.shard.IndexShard.prepareCreate(IndexShard.java:466)
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardIndexOperation(TransportShardBulkAction.java:418)
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardOperationOnPrimary(TransportShardBulkAction.java:148)
at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$PrimaryPhase.performOnPrimary(TransportShardReplicationOperationAction.java:574)
at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$PrimaryPhase$1.doRun(TransportShardReplicationOperationAction.java:440)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:36)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.elasticsearch.ElasticsearchIllegalArgumentException: unknown property [arn]
at org.elasticsearch.index.mapper.core.StringFieldMapper.parseCreateFieldForString(StringFieldMapper.java:331)
at org.elasticsearch.index.mapper.core.StringFieldMapper.parseCreateField(StringFieldMapper.java:277)
at org.elasticsearch.index.mapper.core.AbstractFieldMapper.parse(AbstractFieldMapper.java:401)
... 15 more

I'm not a java developer so I hesitate to jump into the code

Thanks!

[stephenkaraga-twc]

:+1:

[Gary-Armstrong]

:+1: