Parse error for Winlogbeat messages

I am receiving parse errors for messages from Winlogbeat, usually for the field winlogbeat_event_data_param2 . The full message is:

2018-09-11T19:58:56.387-04:00 WARN [Messages] Failed to index message: index=<graylog_226> id=<a3970e26-b61e-11e8-a5ec-847bebd607f5> error=<{"type":"mapper_parsing_exception","reason":"failed to parse [winlogbeat_event_data_param2]","caused_by":{"type":"illegal_argument_exception","reason":"Invalid format: \"Local\""}}>

I checked my mapping via curl and the api, and under properties I have:
“winlogbeat_event_data_param2” : {
“type” : “keyword”
},

There are a huge list of enties (1,005 entries in the exported data) for winlogbeat_event_data* and I"m not sure how they were brought in. Are they correct, how can I verify them ? I tried to import the winlogbeat index format yesterday but receivced an error every time.

As long as you do not have the need to that data, I would drop it. See what elastic writes for this field:

event_data
type: object
required: False
The event-specific data. This field is mutually exclusive with user_data . If you are capturing event data on versions prior to Windows Vista, the parameters in event_data are named param1 , param2 , and so on, because event log parameters are unnamed in earlier versions of Windows.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.