Failed to index Okta log message - failed to parse field

abraxas · May 28, 2020, 12:00am

I tried using the new Okta input in version 3.3 and successfully connected it with the API key however once connected I get a huge amount of input errors which look like this. Any thoughts? I can also open a Graylog issue I’m just not sure if it should be on the Enterprise Plugins or which project.

2020-05-27T22:58:53.751Z WARN  [Messages] Failed to index message: index=<graylog_1346> id=<a2bc24a6-a06d-11ea-99a5-005056af71da> error=<{"type":"mapper_parsing_exception","reason":"failed to parse field [session_id] of type [long] in document with id 'a2bc24a6-a06d-11ea-99a5-005056af71da'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: \"trsZamicotHQCqlFRf3PkxY3Q\""}}>
2020-05-27T22:58:53.751Z WARN  [Messages] Failed to index message: index=<graylog_1346> id=<a2bc24a5-a06d-11ea-99a5-005056af71da> error=<{"type":"mapper_parsing_exception","reason":"failed to parse field [session_id] of type [long] in document with id 'a2bc24a5-a06d-11ea-99a5-005056af71da'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: \"102F0pz_EAYQbiue4D-JJJqcg\""}}>
2020-05-27T22:58:53.751Z WARN  [Messages] Failed to index message: index=<graylog_1346> id=<a2bc24a1-a06d-11ea-99a5-005056af71da> error=<{"type":"mapper_parsing_exception","reason":"failed to parse field [session_id] of type [long] in document with id 'a2bc24a1-a06d-11ea-99a5-005056af71da'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: \"1027D0CSP-2ThmG5bm2KHiMvg\""}}>
``

jan · May 28, 2020, 6:44am

He @abraxas

the reason here is that you have the field session_id in your index that is of typ long, but the rejected messages are strings.

Use a different index set, create a processing pipeline rule that checks the content of session_id and do something with the non matching content or create a custom elasticsearch mapping that forces a specific content type in the index for that field are the 3 options.

Each with its own drawbacks and advantages.

Jan

PS: that is not related to the okta plugin!

abraxas · May 28, 2020, 5:06pm

That makes sense! I put it in to the same index where I was storing Okta messages from a manual API pull & filebeat so I can see why there would be a conflict.

Will try pointing to another index or do some pipeline work if that doesn’t fix it.

PS – I changed the title to reflect the issue and not the Okta plugin. Really like the simplicity of getting it set up!

system · June 11, 2020, 5:06pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.