im running sidecars winlogbeats on my AD servers and im receiving messages from all my sidecars.
But there is no messages in “Show received messages”.
Only thing i found, are errors in Indexer failures tab: {"type":"mapper_parsing_exception","reason":"failed to parse field [level] of type [long] in document with id 'f816da62-a6ff-11ea-80ba-001b789b56bc'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: \"Information\""}}
I tried to Recalculate index ranges and Rotate active write index, but still same error.
All other inputs works fine.
Do you know, what does this error mean and how to fix it?
you should create a custom elasticsearch template that forces the field level to be a string - or create a different index set for your winlogbeat messages to separate them form the source that is sending in the same field (level) as number.
What @jan is saying is the initial messages parts filling the field (level) was recognized and set as “long” now you have machine(s) with winlogbeat trying to put a “string” into that field. You can either specify some custom index settings or you can create a separate index that receives the data from the devices that are writing a string. Third possibility you can rename (https://docs.graylog.org/en/latest/pages/pipelines/functions.html#rename-field) the string field in a pipeline to something new (“level-info”) so it does not conflict with the “long” field once it gets to Elasticsearch.
