search

robcowart / synesis_lite_suricata

Suricata IDS/IPS log analytics using the Elastic Stack.
Other
233 stars 92 forks source link

failed to parse field [event.host] of type [keyword] #6

Closed xisafe closed 5 years ago

xisafe commented 5 years ago

ELK FILEBEAT 6.4.2

[WARN ] 2019-04-08 15:37:37.272 [Ruby-0-Thread-19: :1] elasticsearch - Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"suricata-1.0.1-2019.04.08", :_type=>"doc", :routing=>nil}, #], :response=>{"index"=>{"_index"=>"suricata-1.0.1-2019.04.08", "_type"=>"doc", "_id"=>"ZhDh-2kB5FeKoMpssAt5", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [event.host] of type [keyword]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:220"}}}}}

adziubin commented 5 years ago

"+"

misheher commented 5 years ago

Same here, how can I fix it?

xisafe commented 5 years ago

“+”

同样在这里,我该如何解决?

use filebeat 6.2

xisafe commented 5 years ago

@misheher @adziubin use filebeat 6.2 elk 6.2

willie-lin commented 5 years ago

update "[host]" => "[event][host]" to "[host][hostname]" => "[event][host]"

robcowart commented 5 years ago

Release v1.1.0 supports Elastic Stack 7.x and has fixed this issue.