Parse error for Winlogbeat messages

(Christopher X Candreva) #1

I am receiving parse errors for messages from Winlogbeat, usually for the field winlogbeat_event_data_param2 . The full message is:

2018-09-11T19:58:56.387-04:00 WARN [Messages] Failed to index message: index=<graylog_226> id=<a3970e26-b61e-11e8-a5ec-847bebd607f5> error=<{"type":"mapper_parsing_exception","reason":"failed to parse [winlogbeat_event_data_param2]","caused_by":{"type":"illegal_argument_exception","reason":"Invalid format: \"Local\""}}>

I checked my mapping via curl and the api, and under properties I have:
“winlogbeat_event_data_param2” : {
“type” : “keyword”

There are a huge list of enties (1,005 entries in the exported data) for winlogbeat_event_data* and I"m not sure how they were brought in. Are they correct, how can I verify them ? I tried to import the winlogbeat index format yesterday but receivced an error every time.

(Jan Doberstein) #2

As long as you do not have the need to that data, I would drop it. See what elastic writes for this field:

type: object
required: False
The event-specific data. This field is mutually exclusive with user_data . If you are capturing event data on versions prior to Windows Vista, the parameters in event_data are named param1 , param2 , and so on, because event log parameters are unnamed in earlier versions of Windows.