failed to parse field [http.content_range] of type [keyword]

[chris-ana]

Hi,

i have ELK 7.6.2 Ubuntu 18.04. and i send logs from pfsense using beats 6.8.7

[2020-04-23T11:36:46,752][WARN ][logstash.outputs.elasticsearch][synlite_suricata] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"suricata-1.1.0-2020.04.22", :routing=>nil, :_type=>"_doc"}, #], :response=>{"index"=>{"_index"=>"suricata-1.1.0-2020.04.22", "_type"=>"_doc", "_id"=>"gDwupnEBHbGBrxJRn8Jk", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [http.content_range] of type [keyword] in document with id 'gDwupnEBHbGBrxJRn8Jk'. Preview of field's value: '{size=127499264, start=3519, raw=bytes 3519-3717/127499264, end=3717}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:404"}}}}}

Could you advice the correct type? Thank you.

[ipworkx]

Hi, It's probably related due to your template. By the way, this link might help you. I've modified Roberts version to be compatible with ECS & SIEM

https://github.com/ipworkx/ecs-suricata

Best regards, Regards, Thierry

[chris-ana]

Hi, i try to copy you templates but the same issue again. Thank you for your help

Best regards, Chris

[ipworkx]

Okay, It’s related to what you have configured in the suricata.yml. The field should be an object (keyword or string) but it’s more. That’s the problem. You should change the template, or change the yml file regarding this field.

Here’s a link explaining this issue.

https://stackoverflow.com/questions/41873672/updating-a-field-with-a-nested-array-in-elastic-search

Regards, Thierry

[cuonpm]

Same here, how can I fix it? Suricata version 5.0.3, Elk 7.8.0

Jul 06 08:13:48 elk-lab logstash[18735]: [2020-07-06T08:13:48,847][WARN ][logstash.outputs.elasticsearch][synlite_suricata][7f0f636925cafdc45ccbf6445a1562dacede6781ba4cf6f1b34e30bf21e877ba] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"suricata-1.1.0-2020.07.06", :routing=>nil, :_type=>"_doc"}, #], :response=>{"index"=>{"_index"=>"suricata-1.1.0-2020.07.06", "_type"=>"_doc", "_id"=>"sJSvIXMBcEOi1DSnsOAZ", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [http.content_range] of type [keyword] in document with id 'sJSvIXMBcEOi1DSnsOAZ'. Preview of field's value: '{size=9846192, start=45898, raw=bytes 45898-88631/9846192, end=88631}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:941"}}}}}

[cuonpm]

Jul 07 18:15:37 elk logstash[25106]: [2020-07-07T18:15:37,627][WARN ][logstash.outputs.elasticsearch][synlite_suricata][7f0f636925cafdc45ccbf6445a1562dacede6781ba4cf6f1b34e30bf21e877ba] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"suricata-1.1.0-2020.07.07", :routing=>nil, :_type=>"_doc"}, #], :response=>{"index"=>{"_index"=>"suricata-1.1.0-2020.07.07", "_type"=>"_doc", "_id"=>"ffb9KHMBrL4FY38oBcn0", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [dns.flags] of type [long] in document with id 'ffb9KHMBrL4FY38oBcn0'. Preview of field's value: 'a805'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"For input string: \"a805\""}}}}}

[robcowart]

Closing all issues as this project has been archived.