failed to parse field [http.content_range] of type [keyword]

Question

failed to parse field [http.content_range] of type [keyword]

chris-ana opened this issue 4 years ago · 6 comments

Hi,

i have ELK 7.6.2 Ubuntu 18.04. and i send logs from pfsense using beats 6.8.7

[2020-04-23T11:36:46,752][WARN ][logstash.outputs.elasticsearch][synlite_suricata] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"suricata-1.1.0-2020.04.22", :routing=>nil, :_type=>"_doc"}, #LogStash::Event:0x6cdceb6e], :response=>{"index"=>{"_index"=>"suricata-1.1.0-2020.04.22", "_type"=>"_doc", "_id"=>"gDwupnEBHbGBrxJRn8Jk", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [http.content_range] of type [keyword] in document with id 'gDwupnEBHbGBrxJRn8Jk'. Preview of field's value: '{size=127499264, start=3519, raw=bytes 3519-3717/127499264, end=3717}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:404"}}}}}

Could you advice the correct type?
Thank you.

Answer 1 · 2020-04-23T15:35:33.000Z

Hi,
It's probably related due to your template.
By the way, this link might help you. I've modified Roberts version to be compatible with ECS & SIEM

https://github.com/ipworkx/ecs-suricata

Best regards,
Regards,
Thierry

Answer 2 · 2020-05-05T06:05:26.000Z

Hi,
i try to copy you templates but the same issue again.
Thank you for your help

Best regards,
Chris

Answer 3 · 2020-05-05T09:02:34.000Z

Okay,
It’s related to what you have configured in the suricata.yml. The field should be an object (keyword or string) but it’s more.
That’s the problem.
You should change the template, or change the yml file regarding this field.

Here’s a link explaining this issue.

https://stackoverflow.com/questions/41873672/updating-a-field-with-a-nested-array-in-elastic-search

Regards,
Thierry

Answer 4 · 2020-07-05T21:49:38.000Z

Same here, how can I fix it? Suricata version 5.0.3, Elk 7.8.0

Jul 06 08:13:48 elk-lab logstash[18735]: [2020-07-06T08:13:48,847][WARN ][logstash.outputs.elasticsearch][synlite_suricata][7f0f636925cafdc45ccbf6445a1562dacede6781ba4cf6f1b34e30bf21e877ba] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"suricata-1.1.0-2020.07.06", :routing=>nil, :_type=>"_doc"}, #LogStash::Event:0x7a62212f], :response=>{"index"=>{"_index"=>"suricata-1.1.0-2020.07.06", "_type"=>"_doc", "_id"=>"sJSvIXMBcEOi1DSnsOAZ", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [http.content_range] of type [keyword] in document with id 'sJSvIXMBcEOi1DSnsOAZ'. Preview of field's value: '{size=9846192, start=45898, raw=bytes 45898-88631/9846192, end=88631}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:941"}}}}}

Answer 5 · 2020-07-07T11:38:06.000Z

Jul 07 18:15:37 elk logstash[25106]: [2020-07-07T18:15:37,627][WARN ][logstash.outputs.elasticsearch][synlite_suricata][7f0f636925cafdc45ccbf6445a1562dacede6781ba4cf6f1b34e30bf21e877ba] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"suricata-1.1.0-2020.07.07", :routing=>nil, :_type=>"_doc"}, #LogStash::Event:0x7c30048b], :response=>{"index"=>{"_index"=>"suricata-1.1.0-2020.07.07", "_type"=>"_doc", "_id"=>"ffb9KHMBrL4FY38oBcn0", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [dns.flags] of type [long] in document with id 'ffb9KHMBrL4FY38oBcn0'. Preview of field's value: 'a805'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"For input string: "a805""}}}}}

Answer 6 · 2021-07-28T15:14:50.000Z

Closing all issues as this project has been archived.