Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
I am seeing multiple and constant index failures for my new enviroment.
2. Describe your environment:
OS Information: Ubuntu 24.04
Package Version: Latest
Service logs, configurations, and environment variables:
In my enviroment I have a Input for “beats” and a Indices for WinLogBeats that is setup and recieving data from from about 12 Windows Windows servers at this stage. I am using the content pack GitHub - s0p4L1n3/Graylog_Content_Pack_Windows_Security as a start.
3. What steps have you already taken to try and solve the problem?
I have tried to rotate the index and researched the issue. I am unable to find what is causing this error. I am trying to understand what is causing a field ovelength and which message is the issue.
4. How can the community help?
Wondering if any guidance on where to investigate?
It’s the total distinct fields in the index that is the problem. Normally this happens if you are sending more than one source to a single index, winlogbeat makes a lot of fields, but normally not enough to trigger this by itself.
Also the parsing very well is going sideways and creating a ton of fields, or fields with slightly different names etc.
Thanks, as far as I can tell, the only thing that is going to that index is winlogbeat, is there any way for me to trac back what is causing the problem?
I had a look at the “Configure WinLogBeat FieldTypes” and it seems to have a lot of fields in there (around 1500) with there beeing a log of replicating fields names (e.g.
winlogbeat_powershell_command_invocation_details_0_name
winlogbeat_powershell_command_invocation_details_0_related_command
winlogbeat_powershell_command_invocation_details_0_type
winlogbeat_powershell_command_invocation_details_0_value
winlogbeat_powershell_command_invocation_details_100_name
winlogbeat_powershell_command_invocation_details_100_related_command
winlogbeat_powershell_command_invocation_details_100_type
winlogbeat_powershell_command_invocation_details_100_value
winlogbeat_powershell_command_invocation_details_101_name
winlogbeat_powershell_command_invocation_details_101_related_command
winlogbeat_powershell_command_invocation_details_101_type
winlogbeat_powershell_command_invocation_details_101_value)
Can i remove the one’st I don’t need and will it then try re-create them? I suspect these were all added by the content pack
