Can't Verify Log Source

[floki]

Good Day!

Can't verify a log source even though I can see it from Unique Hosts report. Also can search its logs from dashboard. Is there something I need to do?

Here's screenshots for reference:
https://drive.google.com/drive/folders/ ... sp=sharing

Regards,

[cdienger]

There are multiple places to run the verify - where are you running it from?

Note that the verify under http://nls_ip/nagioslogserver/configure/source/linux will only verify if syslog data came from the source while running verification on other pages don't have a restriction like this. Try running the verification found on http://nls_ip/nagioslogserver/configure/source/network

[floki]

Alright. Will test these one and let you know the results. Thanks a lot!

[floki]

Still can't verify log sources from /network. Though I can search them through logstash haha its weird. I attach a screen shot:
https://drive.google.com/open?id=1Arr5VYL

Look for the VerifyIncomingTest.jpg
I'm thinking to restart logstash or elasticsearch and see if there's an effect. There's no log entry on logstash.log so maybe there's a problem on my logstash?

[cdienger]

Restarting logstash(service logstash restart) probably wont have any impact on this since the data has already been parsed and inserted into the database and the verify button tries to read entries from the database.

Can you PM me some of the logs that 10.109.196.164 sent as well as screenshots of the dashboard showing the details of these events?

[floki]

Hi

Already sent you the files I don't know why it's not showing verification even though it's receiving logs in the dash board T_T

[cdienger]

Click one of the events seen in 164_LOGS3 so that it drops down to show details of the event. I'd like to see all the fields and their values displayed.

Does the verify work for the 10.109.196.164 host?

[floki]

Okay thank you for help, just logged in and found out that I can now verify the Logs with absolutely doing nothing haha I can now verify the incoming logs

I just extracted the old elasticsearch & logstash logs to see what happened:

Logstash old log:

Code: Select all

{:timestamp=>"2019-01-01T01:20:40.607000+0800", :message=>"Connection refused (Connection refused)", :class=>"Manticore::SocketException", :level=>:error}
{:timestamp=>"2019-01-01T01:20:40.630000+0800", :message=>"Connection refused (Connection refused)", :class=>"Manticore::SocketException", :level=>:error}
{:timestamp=>"2019-01-01T01:20:40.644000+0800", :message=>"Connection refused (Connection refused)", :class=>"Manticore::SocketException", :level=>:error}
{:timestamp=>"2019-01-01T01:20:40.654000+0800", :message=>"Connection refused (Connection refused)", :class=>"Manticore::SocketException", :level=>:error}
{:timestamp=>"2019-01-01T01:20:40.749000+0800", :message=>"Pipeline main started"}
{:timestamp=>"2019-01-01T01:20:41.154000+0800", :message=>"Attempted to send a bulk request to Elasticsearch configured at '[\"http://localhost:9200\"]', but Elasticsearch appears to be unreachable or down!", :error_message=>"Connection refused (Connection refused)", :class=>"Manticore::SocketException", :level=>:error}
{:timestamp=>"2019-01-01T01:34:20.715000+0800", :message=>"Failed action. ", :status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.12.31", :_type=>"eventlog", :_routing=>nil}, #<LogStash::Event:0x4cbde227 @metadata_accessors=#<LogStash::Util::Accessors:0x6629f031 @store={}, @lut={}>, @cancelled=false, @data={"EventTime"=>"2018-12-31 17:34:14", "Hostname"=>" -RAV01", "Keywords"=>4611686018427387904, "EventType"=>"WARNING", "SeverityValue"=>3, "Severity"=>"WARNING", "EventID"=>226, "SourceName"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS", "ProviderGuid"=>"{1139C61B-B549-4251-8ED3-27250A1EDEC8}", "Version"=>0, "Task"=>4, "OpcodeValue"=>19, "RecordNumber"=>6350, "ActivityID"=>"{F420E538-D917-40F2-BA1C-E87C50170000}", "ProcessID"=>868, "ThreadID"=>6552, "Channel"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational", "Domain"=>"NT AUTHORITY", "AccountName"=>"NETWORK SERVICE", "UserID"=>"S-1-5-20", "AccountType"=>"Well Known Group", "Category"=>"RemoteFX module", "Opcode"=>"Runtime", "StateTransition"=>"RDP_TCP", "PreviousState"=>"23", "PreviousStateName"=>"StateUnknown", "NewState"=>"21", "NewStateName"=>"StateDisconnected", "Event"=>"43", "EventName"=>"Event_Disconnect", "ErrorCode"=>"0x80070040", "EventReceivedTime"=>"2018-12-31 17:34:15", "SourceModuleName"=>"eventlog", "SourceModuleType"=>"im_msvistalog", "message"=>"RDP_TCP: An error was encountered when transitioning from StateUnknown in response to Event_Disconnect (error code 0x80070040).", "@version"=>"1", "@timestamp"=>"2018-12-31T17:34:20.208Z", "host"=>"10.109.196.135", "port"=>52025, "type"=>"eventlog"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0x2dd5366 @store={"EventTime"=>"2018-12-31 17:34:14", "Hostname"=>" -RAV01", "Keywords"=>4611686018427387904, "EventType"=>"WARNING", "SeverityValue"=>3, "Severity"=>"WARNING", "EventID"=>226, "SourceName"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS", "ProviderGuid"=>"{1139C61B-B549-4251-8ED3-27250A1EDEC8}", "Version"=>0, "Task"=>4, "OpcodeValue"=>19, "RecordNumber"=>6350, "ActivityID"=>"{F420E538-D917-40F2-BA1C-E87C50170000}", "ProcessID"=>868, "ThreadID"=>6552, "Channel"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational", "Domain"=>"NT AUTHORITY", "AccountName"=>"NETWORK SERVICE", "UserID"=>"S-1-5-20", "AccountType"=>"Well Known Group", "Category"=>"RemoteFX module", "Opcode"=>"Runtime", "StateTransition"=>"RDP_TCP", "PreviousState"=>"23", "PreviousStateName"=>"StateUnknown", "NewState"=>"21", "NewStateName"=>"StateDisconnected", "Event"=>"43", "EventName"=>"Event_Disconnect", "ErrorCode"=>"0x80070040", "EventReceivedTime"=>"2018-12-31 17:34:15", "SourceModuleName"=>"eventlog", "SourceModuleType"=>"im_msvistalog", "message"=>"RDP_TCP: An error was encountered when transitioning from StateUnknown in response to Event_Disconnect (error code 0x80070040).", "@version"=>"1", "@timestamp"=>"2018-12-31T17:34:20.208Z", "host"=>"10.109.196.135", "port"=>52025, "type"=>"eventlog"}, @lut={"type"=>[{"EventTime"=>"2018-12-31 17:34:14", "Hostname"=>" -RAV01", "Keywords"=>4611686018427387904, "EventType"=>"WARNING", "SeverityValue"=>3, "Severity"=>"WARNING", "EventID"=>226, "SourceName"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS", "ProviderGuid"=>"{1139C61B-B549-4251-8ED3-27250A1EDEC8}", "Version"=>0, "Task"=>4, "OpcodeValue"=>19, "RecordNumber"=>6350, "ActivityID"=>"{F420E538-D917-40F2-BA1C-E87C50170000}", "ProcessID"=>868, "ThreadID"=>6552, "Channel"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational", "Domain"=>"NT AUTHORITY", "AccountName"=>"NETWORK SERVICE", "UserID"=>"S-1-5-20", "AccountType"=>"Well Known Group", "Category"=>"RemoteFX module", "Opcode"=>"Runtime", "StateTransition"=>"RDP_TCP", "PreviousState"=>"23", "PreviousStateName"=>"StateUnknown", "NewState"=>"21", "NewStateName"=>"StateDisconnected", "Event"=>"43", "EventName"=>"Event_Disconnect", "ErrorCode"=>"0x80070040", "EventReceivedTime"=>"2018-12-31 17:34:15", "SourceModuleName"=>"eventlog", "SourceModuleType"=>"im_msvistalog", "message"=>"RDP_TCP: An error was encountered when transitioning from StateUnknown in response to Event_Disconnect (error code 0x80070040).", "@version"=>"1", "@timestamp"=>"2018-12-31T17:34:20.208Z", "host"=>"10.109.196.135", "port"=>52025, "type"=>"eventlog"}, "type"], "[program]"=>[{"EventTime"=>"2018-12-31 17:34:14", "Hostname"=>" -RAV01", "Keywords"=>4611686018427387904, "EventType"=>"WARNING", "SeverityValue"=>3, "Severity"=>"WARNING", "EventID"=>226, "SourceName"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS", "ProviderGuid"=>"{1139C61B-B549-4251-8ED3-27250A1EDEC8}", "Version"=>0, "Task"=>4, "OpcodeValue"=>19, "RecordNumber"=>6350, "ActivityID"=>"{F420E538-D917-40F2-BA1C-E87C50170000}", "ProcessID"=>868, "ThreadID"=>6552, "Channel"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational", "Domain"=>"NT AUTHORITY", "AccountName"=>"NETWORK SERVICE", "UserID"=>"S-1-5-20", "AccountType"=>"Well Known Group", "Category"=>"RemoteFX module", "Opcode"=>"Runtime", "StateTransition"=>"RDP_TCP", "PreviousState"=>"23", "PreviousStateName"=>"StateUnknown", "NewState"=>"21", "NewStateName"=>"StateDisconnected", "Event"=>"43", "EventName"=>"Event_Disconnect", "ErrorCode"=>"0x80070040", "EventReceivedTime"=>"2018-12-31 17:34:15", "SourceModuleName"=>"eventlog", "SourceModuleType"=>"im_msvistalog", "message"=>"RDP_TCP: An error was encountered when transitioning from StateUnknown in response to Event_Disconnect (error code 0x80070040).", "@version"=>"1", "@timestamp"=>"2018-12-31T17:34:20.208Z", "host"=>"10.109.196.135", "port"=>52025, "type"=>"eventlog"}, "program"], "[host]"=>[{"EventTime"=>"2018-12-31 17:34:14", "Hostname"=>" -RAV01", "Keywords"=>4611686018427387904, "EventType"=>"WARNING", "SeverityValue"=>3, "Severity"=>"WARNING", "EventID"=>226, "SourceName"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS", "ProviderGuid"=>"{1139C61B-B549-4251-8ED3-27250A1EDEC8}", "Version"=>0, "Task"=>4, "OpcodeValue"=>19, "RecordNumber"=>6350, "ActivityID"=>"{F420E538-D917-40F2-BA1C-E87C50170000}", "ProcessID"=>868, "ThreadID"=>6552, "Channel"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational", "Domain"=>"NT AUTHORITY", "AccountName"=>"NETWORK SERVICE", "UserID"=>"S-1-5-20", "AccountType"=>"Well Known Group", "Category"=>"RemoteFX module", "Opcode"=>"Runtime", "StateTransition"=>"RDP_TCP", "PreviousState"=>"23", "PreviousStateName"=>"StateUnknown", "NewState"=>"21", "NewStateName"=>"StateDisconnected", "Event"=>"43", "EventName"=>"Event_Disconnect", "ErrorCode"=>"0x80070040", "EventReceivedTime"=>"2018-12-31 17:34:15", "SourceModuleName"=>"eventlog", "SourceModuleType"=>"im_msvistalog", "message"=>"RDP_TCP: An error was encountered when transitioning from StateUnknown in response to Event_Disconnect (error code 0x80070040).", "@version"=>"1", "@timestamp"=>"2018-12-31T17:34:20.208Z", "host"=>"10.109.196.135", "port"=>52025, "type"=>"eventlog"}, "host"]}>>], :response=>{"create"=>{"_index"=>"logstash-2018.12.31", "_type"=>"eventlog", "_id"=>"AWgFVKgSBNPXRS-PpM6U", "status"=>400, "error"=>"MapperParsingException[failed to parse [ErrorCode]]; nested: NumberFormatException[For input string: \"0x80070040\"]; "}}, :level=>:warn}
{:timestamp=>"2019-01-01T02:10:18.353000+0800", :message=>"Failed action. ", :status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.12.31", :_type=>"eventlog", :_routing=>nil}, #<LogStash::Event:0x6c46643d @metadata_accessors=#<LogStash::Util::Accessors:0x7d5ab20f @store={}, @lut={}>, @cancelled=false, @data={"EventTime"=>"2018-12-31 18:09:34", "Hostname"=>" -RBKP01", "Keywords"=>4611686018427387904, "EventType"=>"WARNING", "SeverityValue"=>3, "Severity"=>"WARNING", "EventID"=>226, "SourceName"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS", "ProviderGuid"=>"{1139C61B-B549-4251-8ED3-27250A1EDEC8}", "Version"=>0, "Task"=>4, "OpcodeValue"=>19, "RecordNumber"=>6933, "ActivityID"=>"{F420C7FE-459B-4921-98C1-D356D0570000}", "ProcessID"=>984, "ThreadID"=>10824, "Channel"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational", "Domain"=>"NT AUTHORITY", "AccountName"=>"NETWORK SERVICE", "UserID"=>"S-1-5-20", "AccountType"=>"Well Known Group", "Category"=>"RemoteFX module", "Opcode"=>"Runtime", "StateTransition"=>"RDP_SEC", "PreviousState"=>"0", "PreviousStateName"=>"FStatePassthrough", "NewState"=>"9", "NewStateName"=>"FStateError", "Event"=>"16", "EventName"=>"FEventCheckAndCompleteReadsFailed", "ErrorCode"=>"0x8007139f", "EventReceivedTime"=>"2018-12-31 18:09:36", "SourceModuleName"=>"eventlog", "SourceModuleType"=>"im_msvistalog", "message"=>"RDP_SEC: An error was encountered when transitioning from FStatePassthrough in response to FEventCheckAndCompleteReadsFailed (error code 0x8007139F).", "@version"=>"1", "@timestamp"=>"2018-12-31T18:10:17.821Z", "host"=>"10.109.196.138", "port"=>56968, "type"=>"eventlog"}, @metadata={}, @accessors=#<LogStash::Util::Accessors:0xd65f8ab @store={"EventTime"=>"2018-12-31 18:09:34", "Hostname"=>" -RBKP01", "Keywords"=>4611686018427387904, "EventType"=>"WARNING", "SeverityValue"=>3, "Severity"=>"WARNING", "EventID"=>226, "SourceName"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS", "ProviderGuid"=>"{1139C61B-B549-4251-8ED3-27250A1EDEC8}", "Version"=>0, "Task"=>4, "OpcodeValue"=>19, "RecordNumber"=>6933, "ActivityID"=>"{F420C7FE-459B-4921-98C1-D356D0570000}", "ProcessID"=>984, "ThreadID"=>10824, "Channel"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational", "Domain"=>"NT AUTHORITY", "AccountName"=>"NETWORK SERVICE", "UserID"=>"S-1-5-20", "AccountType"=>"Well Known Group", "Category"=>"RemoteFX module", "Opcode"=>"Runtime", "StateTransition"=>"RDP_SEC", "PreviousState"=>"0", "PreviousStateName"=>"FStatePassthrough", "NewState"=>"9", "NewStateName"=>"FStateError", "Event"=>"16", "EventName"=>"FEventCheckAndCompleteReadsFailed", "ErrorCode"=>"0x8007139f", "EventReceivedTime"=>"2018-12-31 18:09:36", "SourceModuleName"=>"eventlog", "SourceModuleType"=>"im_msvistalog", "message"=>"RDP_SEC: An error was encountered when transitioning from FStatePassthrough in response to FEventCheckAndCompleteReadsFailed (error code 0x8007139F).", "@version"=>"1", "@timestamp"=>"2018-12-31T18:10:17.821Z", "host"=>"10.109.196.138", "port"=>56968, "type"=>"eventlog"}, @lut={"type"=>[{"EventTime"=>"2018-12-31 18:09:34", "Hostname"=>" -RBKP01", "Keywords"=>4611686018427387904, "EventType"=>"WARNING", "SeverityValue"=>3, "Severity"=>"WARNING", "EventID"=>226, "SourceName"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS", "ProviderGuid"=>"{1139C61B-B549-4251-8ED3-27250A1EDEC8}", "Version"=>0, "Task"=>4, "OpcodeValue"=>19, "RecordNumber"=>6933, "ActivityID"=>"{F420C7FE-459B-4921-98C1-D356D0570000}", "ProcessID"=>984, "ThreadID"=>10824, "Channel"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational", "Domain"=>"NT AUTHORITY", "AccountName"=>"NETWORK SERVICE", "UserID"=>"S-1-5-20", "AccountType"=>"Well Known Group", "Category"=>"RemoteFX module", "Opcode"=>"Runtime", "StateTransition"=>"RDP_SEC", "PreviousState"=>"0", "PreviousStateName"=>"FStatePassthrough", "NewState"=>"9", "NewStateName"=>"FStateError", "Event"=>"16", "EventName"=>"FEventCheckAndCompleteReadsFailed", "ErrorCode"=>"0x8007139f", "EventReceivedTime"=>"2018-12-31 18:09:36", "SourceModuleName"=>"eventlog", "SourceModuleType"=>"im_msvistalog", "message"=>"RDP_SEC: An error was encountered when transitioning from FStatePassthrough in response to FEventCheckAndCompleteReadsFailed (error code 0x8007139F).", "@version"=>"1", "@timestamp"=>"2018-12-31T18:10:17.821Z", "host"=>"10.109.196.138", "port"=>56968, "type"=>"eventlog"}, "type"], "[program]"=>[{"EventTime"=>"2018-12-31 18:09:34", "Hostname"=>" -RBKP01", "Keywords"=>4611686018427387904, "EventType"=>"WARNING", "SeverityValue"=>3, "Severity"=>"WARNING", "EventID"=>226, "SourceName"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS", "ProviderGuid"=>"{1139C61B-B549-4251-8ED3-27250A1EDEC8}", "Version"=>0, "Task"=>4, "OpcodeValue"=>19, "RecordNumber"=>6933, "ActivityID"=>"{F420C7FE-459B-4921-98C1-D356D0570000}", "ProcessID"=>984, "ThreadID"=>10824, "Channel"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational", "Domain"=>"NT AUTHORITY", "AccountName"=>"NETWORK SERVICE", "UserID"=>"S-1-5-20", "AccountType"=>"Well Known Group", "Category"=>"RemoteFX module", "Opcode"=>"Runtime", "StateTransition"=>"RDP_SEC", "PreviousState"=>"0", "PreviousStateName"=>"FStatePassthrough", "NewState"=>"9", "NewStateName"=>"FStateError", "Event"=>"16", "EventName"=>"FEventCheckAndCompleteReadsFailed", "ErrorCode"=>"0x8007139f", "EventReceivedTime"=>"2018-12-31 18:09:36", "SourceModuleName"=>"eventlog", "SourceModuleType"=>"im_msvistalog", "message"=>"RDP_SEC: An error was encountered when transitioning from FStatePassthrough in response to FEventCheckAndCompleteReadsFailed (error code 0x8007139F).", "@version"=>"1", "@timestamp"=>"2018-12-31T18:10:17.821Z", "host"=>"10.109.196.138", "port"=>56968, "type"=>"eventlog"}, "program"], "[host]"=>[{"EventTime"=>"2018-12-31 18:09:34", "Hostname"=>" -RBKP01", "Keywords"=>4611686018427387904, "EventType"=>"WARNING", "SeverityValue"=>3, "Severity"=>"WARNING", "EventID"=>226, "SourceName"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS", "ProviderGuid"=>"{1139C61B-B549-4251-8ED3-27250A1EDEC8}", "Version"=>0, "Task"=>4, "OpcodeValue"=>19, "RecordNumber"=>6933, "ActivityID"=>"{F420C7FE-459B-4921-98C1-D356D0570000}", "ProcessID"=>984, "ThreadID"=>10824, "Channel"=>"Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational", "Domain"=>"NT AUTHORITY", "AccountName"=>"NETWORK SERVICE", "UserID"=>"S-1-5-20", "AccountType"=>"Well Known Group", "Category"=>"RemoteFX module", "Opcode"=>"Runtime", "StateTransition"=>"RDP_SEC", "PreviousState"=>"0", "PreviousStateName"=>"FStatePassthrough", "NewState"=>"9", "NewStateName"=>"FStateError", "Event"=>"16", "EventName"=>"FEventCheckAndCompleteReadsFailed", "ErrorCode"=>"0x8007139f", "EventReceivedTime"=>"2018-12-31 18:09:36", "SourceModuleName"=>"eventlog", "SourceModuleType"=>"im_msvistalog", "message"=>"RDP_SEC: An error was encountered when transitioning from FStatePassthrough in response to FEventCheckAndCompleteReadsFailed (error code 0x8007139F).", "@version"=>"1", "@timestamp"=>"2018-12-31T18:10:17.821Z", "host"=>"10.109.196.138", "port"=>56968, "type"=>"eventlog"}, "host"]}>>], :response=>{"create"=>{"_index"=>"logstash-2018.12.31", "_type"=>"eventlog", "_id"=>"AWgFdZRpBNPXRS-PpSTB", "status"=>400, "error"=>"MapperParsingException[failed to parse [ErrorCode]]; nested: NumberFormatException[For input string: \"0x8007139f\"]; "}}, :level=>:warn}

Elasticsearch old log:

Code: Select all

[2019-01-08 07:48:02,457][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] creating index, cause [auto(bulk api)], templates [logstash], shards [5]/[1], mappings [_default_, syslog]
[2019-01-08 07:48:02,539][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [syslog] (dynamic)
[2019-01-08 07:48:02,547][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [syslog] (dynamic)
[2019-01-08 08:00:08,381][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-08 08:00:19,460][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-08 08:02:03,184][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-08 08:03:43,734][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-08 08:03:43,747][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-08 08:03:54,535][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-08 08:08:33,117][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-08 08:08:55,770][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-08 08:11:17,623][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-08 08:16:27,564][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-08 08:24:01,310][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-08 08:39:54,262][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-08 12:57:39,770][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-08 15:16:28,586][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-08 15:30:53,598][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-09 03:00:01,362][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)
[2019-01-09 03:29:57,153][INFO ][cluster.metadata         ] [efc78a82-f33a-4f5f-8ffa-13228247b3bb] [logstash-2019.01.08] update_mapping [eventlog] (dynamic)

[floki]

I'm still unsure what happened but it is working fine now. Thanks a lot

[scottwilkerson]

I'm still unsure what happened but it is working fine now. Thanks a lot

glad to hear it is working now

Locking thread