search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
11.06k stars 1.67k forks source link

illegal_argument_exception #26281

Open selfing12 opened 1 month ago

selfing12 commented 1 month ago

system: redos8 Wazuh version:

wazuh-dashboard.x86_64: 4.9.0-2
wazuh-indexer.x86_64: 4.9.0-1
wazuh-manager.x86_64:  4.9.0-1
{
  "name" : "******************",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "Adq3RAfgQg-nXm3u8CuDbg",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "9fd1835bba77ae04d48550eb4dc9be4787070806",
    "build_date" : "2024-08-30T10:04:33.447803Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Filebeat oss 7.12 curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module 

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.9.0/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

filebeat config:

output.elasticsearch:
  hosts: ["*************:9200"]
  protocol: https
  username: admin
  password: *******************
  ssl.certificate_authorities:
    - /etc/filebeat/certs/root-ca.pem
  ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
  ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

logging.level: debug
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq

Error:
`
[WazuhError]: search_phase_execution_exception: [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [manager.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.`

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "search_phase_execution_exception: [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [manager.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.",
    "attributes": {
        "error": {
            "root_cause": [
                {
                    "type": "illegal_argument_exception",
                    "reason": "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [manager.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory."
                }
            ],
            "type": "search_phase_execution_exception",
            "reason": "all shards failed",
            "phase": "query",
            "grouped": true,
            "failed_shards": [
                {
                    "shard": 0,
                    "index": "wazuh-alerts-4.x-2024.10.11",
                    "node": "45sdhwLLTDSQiGJ_3sGFeA",
                    "reason": {
                        "type": "illegal_argument_exception",
                        "reason": "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [manager.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory."
                    }
                }
            ],
            "caused_by": {
                "type": "illegal_argument_exception",
                "reason": "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [manager.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.",
                "caused_by": {
                    "type": "illegal_argument_exception",
                    "reason": "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [manager.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory."
                }
            }
        }
    }
}

This error is observed with some fields and I do not see the data in wazuh.

selfing12 commented 1 month ago

@vikman90 @chemamartinez