I am seeing quite a lot of errors in Logstash for Winlogbeat events failing to index. The error indicates events are coming in with "source.ip: LOCAL" which is not a valid IP address. If for some reason the literal string for the IP address is being read as "LOCAL", the agent should convert this to "127.0.0.1" to prevent index failures.
Jul 02 07:43:04 Logstash1 logstash[7790]: [2020-07-02T07:43:04,974][WARN ][logstash.outputs.elasticsearch][main][1b0d38a63ac70b958df647ae2a47badf4ac8161e6df5e7eb331817d2b52dfa28] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"winlogbeat-7.8.0", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x5a7b7089>], :response=>{"index"=>{"_index"=>"winlogbeat-7.8.0-2020.07.02-000015", "_type"=>"_doc", "_id"=>"-nL7D3MB9q2MOx9CKDBo", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [source.ip] of type [ip] in document with id '-nL7D3MB9q2MOx9CKDBo'. Preview of field's value: 'LOCAL'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'LOCAL' is not an IP string literal."}}}}}
I am seeing quite a lot of errors in Logstash for Winlogbeat events failing to index. The error indicates events are coming in with "source.ip: LOCAL" which is not a valid IP address. If for some reason the literal string for the IP address is being read as "LOCAL", the agent should convert this to "127.0.0.1" to prevent index failures.