-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Winlogbeat Could not index event - "source.ip: 'LOCAL'" Not an IP String Literal #19627
Comments
Pinging @elastic/siem (Team:SIEM) |
Pinging @elastic/integrations (Team:Integrations) |
Could you please provide a copy of the event being indexed as well as the configuration in use with Winlogbeat. We need to be able to identify what module and event ID was being processed when this occurred. Typically we are validating IPs fields before copying them into the |
Unfortunately, I cannot provide a copy of the events being indexed, as they are failing to index, and there is no indication of what device(s) the events are coming from. Based on the number of times this error is shown, I would assume the events are coming from all devices. I can, however, give you as many examples of the errors from Logstash as you want. There are hundreds of these every day.
|
Still looking for a fix on this. Any update? We are now running Winlogbeat 7.9.1 and the issue is still present.
|
Can you try setting up a dead letter queue to capture the event that's failing to index. https://www.elastic.co/guide/en/logstash/current/dead-letter-queues.html |
@andrewkroh, Please see below. Redacted computer, user, and domain names, but these messages are from three different devices; all running 7.9.1 Winlogbeat.
|
For event 4778 (A session was reconnected to a Window Station) the `winlog.event_data.ClientAddress` could be "LOCAL" which is obviosuly not a valid IP so we don't want to copy it into `source.ip` in that case. Fixes elastic#19627
I've opened #21325 to fix this. |
Thank you, @andrewkroh |
For event 4778 (A session was reconnected to a Window Station) the `winlog.event_data.ClientAddress` could be "LOCAL" which is obviosuly not a valid IP so we don't want to copy it into `source.ip` in that case. Fixes #19627
For event 4778 (A session was reconnected to a Window Station) the `winlog.event_data.ClientAddress` could be "LOCAL" which is obviosuly not a valid IP so we don't want to copy it into `source.ip` in that case. Fixes elastic#19627 (cherry picked from commit 8c992c5)
For event 4778 (A session was reconnected to a Window Station) the `winlog.event_data.ClientAddress` could be "LOCAL" which is obviosuly not a valid IP so we don't want to copy it into `source.ip` in that case. Fixes elastic#19627 (cherry picked from commit 8c992c5)
I am not sure how long the issue has been happening, but I just now noticed this appears to have regressed with the migration to Ingest Pipelines for Winlogbeat instead of local parsing. As a temporary workaround, I have modified the
Can someone on the Elastic side address this with a permanent fix? Eric |
Opened #34252 for this. This is my first attempt at contributing anything to GH. Can someone give a quick walkthrough on how to push the changes? I forked the Beats repo and made the changes there, but not sure how to push this up for review. Changes here to my fork here. |
I think I got it figured out. PR is just pending approval. I have signed a Contributor Agreement, but it still says that I have not. |
I am seeing quite a lot of errors in Logstash for Winlogbeat events failing to index. The error indicates events are coming in with "source.ip: LOCAL" which is not a valid IP address. If for some reason the literal string for the IP address is being read as "LOCAL", the agent should convert this to "127.0.0.1" to prevent index failures.
The text was updated successfully, but these errors were encountered: