Quick question. I have Graylog (2.4.6) capturing some syslogging for me. I imported a cisco ASA extractor from the market place without any issues and I can see the messages showing up under my search. However, when I try to display world map data for the source IPs I get the following error in my elastic logs:
Caused by: java.lang.IllegalArgumentException: Fielddata is disabled on text fields by default. Set fielddata=true on [message] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.
Out of curiosity, which extractor are you using? I use a simple GROK pattern against our incoming ASA traffic to new field “source_ip”, and the geolocation data executes fine.
I’m actually trying sonicwall and ASA extractors from the market place
For the sonicwall extractor, when attempting to use the world map on the src_ip field, I get all sorts of errors, despite it looking what I believe to be right:
I must have extractors wrong, because my log file is full of exceptions like this:
2018-08-07T09:56:54.802+12:00 ERROR [Extractor] Could not apply converter 2019-01-03 17:04:04.
java.lang.IllegalArgumentException: Invalid format: “id=firewall sn=18B1690D3AB8 time…”
at org.joda.time.format.DateTimeFormatter.parseDateTime(DateTimeFormatter.java:945) ~[graylog.jar:?]