Ruby exception occurred: can't convert Array into an exact number

[evik-santika-ioh]

Hi @enotspe

I got error in ruby filter when using config

1. syslog-fortinet-fortigate-input-kv.conf or syslog-fortinet-fortigate-input5424-kv.conf
2. syslog-fortinet-fortigate_2_ecsv2.conf
3. syslog-fortinet-common_ecs-output.conf

I'm not change any config, only change port input. and output ES.

[ERROR][logstash.filters.ruby ][main][a87af76ae105d59b87fe27c4e7659d1c6cc7ec07a265cd75c57200456445fbc9] Ruby exception occurred: can't convert Array into an exact number {:class=>"TypeError", :backtrace=>["org/jruby/RubyTime.java:510:inlocaltime'", "(ruby filter code):5:in block in filter_method'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:96:ininline_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.8/lib/logstash/filters/ruby.rb:89:in filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:indo_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in block in multi_filter'", "org/jruby/RubyArray.java:1821:ineach'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:inmulti_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in block in start_workers'"]}

can you reproduce for this case?

Thank you

[enotspe]

you are getting an array of values for timezone. Just comment out the whole "day of week, hour of day" section on syslog-fortinet-common_ecs-output.conf and check what value are you are getting for timezone. Let's troubleshoot from there

[evik-santika-ioh]

Can you see this log, i see this log not success sent log to ES, can you give advice?

[2023-10-19T15:01:59,508][INFO ][logstash.filters.geoip   ][syslog-fortinet-common_ecs-output] Using geoip database {:path=>"/var/lib/logstash/plugins/filters/geoip/1697699465/GeoLite2-City.mmdb"}
[2023-10-19T15:01:59,537][INFO ][logstash.filters.geoip.databasemanager][syslog-fortinet-common_ecs-output] By not manually configuring a database path with `database =>`, you accepted and agreed MaxMind EULA. For more details please visit https://www.maxmind.com/en/geolite2/eula
[2023-10-19T15:01:59,538][INFO ][logstash.filters.geoip   ][syslog-fortinet-common_ecs-output] Using geoip database {:path=>"/var/lib/logstash/plugins/filters/geoip/1697699465/GeoLite2-City.mmdb"}
[2023-10-19T15:01:59,663][INFO ][logstash.javapipeline    ][syslog-fortinet-common_ecs-output] Starting pipeline {:pipeline_id=>"syslog-fortinet-common_ecs-output", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/syslog-fortinet-common_ecs-output.conf"], :thread=>"#<Thread:0x72340c64@/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:53 run>"}
[2023-10-19T15:01:59,885][WARN ][org.logstash.plugins.pipeline.PipelineBus][syslog-fortinet-fortigate_2_ecsv2][29a6aa27ca7002ac905931a3f66296c9a559f80ec562f0a6bc6cce6e7d356a3a] Attempted to send event to 'syslog-fortinet-common_ecs-output' but that address was unavailable. Maybe the destination pipeline is down or stopping? Will Retry.
[2023-10-19T15:02:00,530][INFO ][logstash.javapipeline    ][syslog-fortinet-common_ecs-output] Pipeline Java execution initialization time {"seconds"=>0.86}
[2023-10-19T15:02:00,546][INFO ][logstash.javapipeline    ][syslog-fortinet-common_ecs-output] Pipeline started {"pipeline.id"=>"syslog-fortinet-common_ecs-output"}
[2023-10-19T15:02:00,612][INFO ][logstash.agent           ] Pipelines running {:count=>3, :running_pipelines=>[:"syslog-fortinet-fortigate-input5424-kv", :"syslog-fortinet-fortigate_2_ecsv2", :"syslog-fortinet-common_ecs-output"], :non_running_pipelines=>[]}
[2023-10-19T15:02:00,885][WARN ][org.logstash.plugins.pipeline.PipelineBus][syslog-fortinet-fortigate_2_ecsv2][29a6aa27ca7002ac905931a3f66296c9a559f80ec562f0a6bc6cce6e7d356a3a] Attempted to send event to 'syslog-fortinet-common_ecs-output' but that address was unavailable. Maybe the destination pipeline is down or stopping? Will Retry.

i'm already makesure pipiline.yml and config file same like in you github. in output file only change Elasticsearch endpoint and user pass.

When i try running

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/syslog-fortinet-common_ecs-output.conf -r

and change input config for make sure config normal

input {
    udp {
        port => 5141
        buffer_size => 131072
#
        add_field => {"[data_stream][type]" => "logs"}
        add_field => {"[data_stream][dataset]" => "fortinet.fortigate"}
        add_field => {"[data_stream][namespace]" => "default"}
#
        source_ip_fieldname => "[observer][ip]"
        add_field => { "[logstash][hostname]" => "${HOSTNAME:no_logstash_hostname}" }
        #tags => [ "fortianalyzer" ]
    }
}

It's running normal

[evik-santika-ioh]

i try combine all conf from input (syslog-fortinet-fortigate-input5424-kv.conf), (syslog-fortinet-fortigate_2_ecsv2.conf) until Output (syslog-fortinet-fortigate_2_ecsv2.conf) and comment "day of week, hour of day"

Logstash running and give this log

This is correct?

[enotspe]

you are not generating event.original. that is very weird.

Try changing event.original for message to see if we can make it pass the first grok at least

https://github.com/enotspe/fortinet-2-elasticsearch/blob/master/logstash/conf.d/syslog-fortinet-fortigate-input5424-kv.conf#L59C18-L59C38