Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] mapper [o365.audit.Folders.FolderItems.SizeInBytes] cannot be changed from type [long] to [float] #36155

Open
kowalczyk-p opened this issue Jul 25, 2023 · 5 comments
Open

[Filebeat] mapper [o365.audit.Folders.FolderItems.SizeInBytes] cannot be changed from type [long] to [float] #36155

kowalczyk-p opened this issue Jul 25, 2023 · 5 comments
Labels
bug Filebeat Filebeat Team:Security-Service Integrations Security Service Integrations Team

Comments

@kowalczyk-p
Copy link

kowalczyk-p commented Jul 25, 2023
edited
Loading

Please post all questions and issues on https://discuss.elastic.co/c/beats
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.

For security vulnerabilities please only send reports to [email protected].
See https://www.elastic.co/community/security for more information.

Please include configurations and logs if available.

For confirmed bugs, please report:

  • Version:
  • Operating System:
  • Discuss Forum URL:
  • Steps to Reproduce:

In my setup Filebeat fetches o365 logs and sends them to Elasticsearch via Logstash. Index template was exported from Filebeat and set up in Elasticsearch. In logstash logs I see errors "Could not index event to Elasticsearch" with reason

mapper [o365.audit.Folders.FolderItems.SizeInBytes] cannot be changed from type [long] to [float]

Field o365.audit.Folders.FolderItems.SizeInBytes is not defined in index template from Filebeat. Version is 8.6.2.
@kowalczyk-p kowalczyk-p changed the title mapper [o365.audit.Folders.FolderItems.SizeInBytes] cannot be changed from type [long] to [float] [Filebeat] mapper [o365.audit.Folders.FolderItems.SizeInBytes] cannot be changed from type [long] to [float] Jul 25, 2023
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 25, 2023
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Aug 11, 2023
@efd6
Copy link
Contributor

efd6 commented Aug 16, 2023

@kowalczyk-p Are you able to provide the mapping for the affected index, and an example document that fails from the logstash logs?

@kowalczyk-p
Copy link
Author

kowalczyk-p commented Sep 25, 2023
edited
Loading

Example document (redacted):

{
  "client": {
    "ip": "2a00:f41:58c5:d3e6:c00f:206c:8fa3:c0a2",
    "address": "2a00:f41:58c5:d3e6:c00f:206c:8fa3:c0a2"
  },
  "agent": {
    "version": "8.6.2",
    "type": "filebeat",
    "id": "02258696-f268-4b59-90d2-85404ad17474",
    "ephemeral_id": "369ee3db-25d6-42ad-a873-9db8c7edefe0",
    "name": "filebeat-downloader-1"
  },
  "source": {
    "ip": "2a00:f41:58c5:d3e6:c00f:206c:8fa3:c0a2"
  },
  "@timestamp": "2023-07-20T09:32:19.000Z",
  "host": {
    "ip": "2a00:f41:58c5:d3e6:c00f:206c:8fa3:c0a2",
    "id": "53d83e1d-82ae-4273-84e9-01ec5045dd81",
    "name": "redacted"
  },
  "@version": "1",
  "fileset": {
    "name": "audit"
  },
  "event": {
    "type": "info",
    "action": "MailItemsAccessed",
    "category": "web",
    "outcome": "success",
    "kind": "event",
    "module": "o365",
    "dataset": "o365.audit",
    "provider": "Exchange",
    "id": "a9d1e65a-a53a-4c86-b813-2b68bef65281",
    "code": "ExchangeItemAggregated"
  },
  "o365": {
    "audit": {
      "CreationTime": "2023-07-20T09:32:19",
      "Workload": "Exchange",
      "Id": "a9d1e65a-a53a-4c86-b813-2b68bef65281",
      "Operation": "MailItemsAccessed",
      "MailboxGuid": "8d768f85-4042-4eb4-b5c4-97ee10cd7fd3",
      "OriginatingServer": "DB7PR02MB4854 (15.20.4200.000)\r\n",
      "ClientIPAddress": "2a00:f41:58c5:d3e6:c00f:206c:8fa3:c0a2",
      "MailboxOwnerUPN": "redacted",
      "OperationProperties": [
        {
          "Name": "MailAccessType",
          "Value": "Bind"
        },
        {
          "Name": "IsThrottled",
          "Value": "False"
        }
      ],
      "ExternalAccess": false,
      "RecordType": 50,
      "LogonType": 0,
      "ResultStatus": "Succeeded",
      "InternalLogonType": 0,
      "UserKey": "100E94256F07",
      "UserId": "redacted",
      "UserType": 0,
      "ClientInfoString": "Client=ActiveSync",
      "OrganizationId": "redacted",
      "Folders": [
        {
          "FolderItems": [
            {
              "InternetMessageId": "<AM6PR02MB3896A4165287E14304030815F43EA@AM6PR02MB3896.eurprd02.prod.outlook.com>",
              "SizeInBytes": 57970
            },
            {
              "InternetMessageId": "<JMR.24b9aef6-9ea3-449a-2b0a-08db884719ee.Phish.638254352890851019@microsoft.com>",
              "SizeInBytes": 2200149
            },
            {
              "InternetMessageId": "<[email protected]>",
              "SizeInBytes": 96878
            },
            {
              "InternetMessageId": "<AM9PR02MB7411B51B26E2DD210B82C19AE13EA@AM9PR02MB7411.eurprd02.prod.outlook.com>",
              "SizeInBytes": 117985,
              "Sensitivity": "bfa804fb-21fc-474f-98af-2c980d1a3d72"
            },
            {
              "InternetMessageId": "<2184161863.44995076@redacted>",
              "SizeInBytes": 552490
            },
            {
              "InternetMessageId": "<DB4PR02MB95755D615308979D4A320D43F33EA@DB4PR02MB9575.eurprd02.prod.outlook.com>",
              "SizeInBytes": 86299,
              "Sensitivity": "747a845c-ee2a-49b8-8111-12f560be386a"
            },
            {
              "InternetMessageId": "<PR3PR02MB6283B813313CD445A5A386EDEA3EA@PR3PR02MB6283.eurprd02.prod.outlook.com>",
              "SizeInBytes": 54259
            },
            {
              "InternetMessageId": "<VI1PR02MB596589A375DA37FCC7F9CEA48D3EA@VI1PR02MB5965.eurprd02.prod.outlook.com>",
              "SizeInBytes": 75920,
              "Sensitivity": "bfa804fb-21fc-474f-98af-2c980d1a3d72"
            },
            {
              "InternetMessageId": "<DU0PR02MB919578DB4167DFB0C2E7C41B8A3EA@DU0PR02MB9195.eurprd02.prod.outlook.com>",
              "SizeInBytes": 73246,
              "Sensitivity": "bfa804fb-21fc-474f-98af-2c980d1a3d72"
            },
            {
              "InternetMessageId": "<7319cd42-7f07-4f4b-b195-881154e34bba@redacted>",
              "SizeInBytes": 50750
            }
          ],
          "Path": "\\Skrzynka odbiorcza",
          "Id": "LgAAAACSyavwl71dQKeIw6qCPefCAQBN7HBtH57KTJSObrpY9dRHAAAEJHY/AAAB"
        }
      ],
      "LogonUserSid": "redacted",
      "OperationCount": 10,
      "MailboxOwnerSid": "redacted",
      "Version": 1,
      "OrganizationName": "redacted"
    }
  },
  "service": {
    "type": "o365"
  },
  "ecs": {
    "version": "1.12.0"
  },
  "organization": {
    "id": "redacted",
    "name": "redacted"
  },
  "related": {
    "user": "redacted",
    "ip": "2a00:f41:58c5:d3e6:c00f:206c:8fa3:c0a2"
  },
  "user": {
    "email": "redacted",
    "domain": "redacted",
    "id": "redacted",
    "name": "redacted"
  },
  "network": {
    "type": "ipv6"
  },
  "input": {
    "type": "o365audit"
  },
  "tags": [
    "forwarded",
    "beats",
    "logstash_pipeline_beats",
    "beats_input_raw_event"
  ],
  "ABS_SIEM_OUTPUT": {
    "index_name": "logs-filebeat.8.6.2-o365",
    "pipeline": "filebeat-8.6.2-o365-audit-pipeline"
  },
  "data_stream": {
    "type": "logs",
    "dataset": "filebeat.8.6.2",
    "namespace": "o365"
  }
}

Index mapping is pretty big so I'm adding it as attachment.

@kowalczyk-p
Copy link
Author

o365-mapping.txt

@andrewkroh andrewkroh added the Filebeat Filebeat label Sep 26, 2023
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@narph narph added the bug label Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Filebeat Filebeat Team:Security-Service Integrations Security Service Integrations Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@narph @andrewkroh @elasticmachine @kowalczyk-p @jamiehynds @efd6 @norrietaylor