Hi all,
I am using Filebeat module cisco to get logs. I am not storing this logs in an index called filebeat-* but cisco-*. To get the correct mapping for this pattern, I exported the filebeat template and imported it for the pattern cisco-*. Anyway, the SIEM Network Map tells me that
An ECS compliant Kibana index pattern must be configured to view event data on the map. When using beats, you can run the following setup commands to create the required Kibana index patterns, otherwise you can configure them manually within Kibana settings.
I already added cisco-* to the default SIEM index search in management. But this doesn't seem to be solution. How can I add the cisco-* to the map?
Seems, it was my fault.
I added cisco-* to my SIEM settings, but the index pattern was set to cisco-asa-*. After changing it to cisco-* the error disappeared.
I'm seeing this same error after upgrading to v7.5. I think it's due to an inconsistency in the field name that the visualization is looking for. ECS normalizes destination fields to the destination base name, but the documentation in v7.5 suddenly says to use the dest base field. See the screenshot attached.
I have geolocation data stored as a geo_point field at destination.geo.location. I've got a custom visualization in my other dashboards that renders data from the same index just fine.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
