I'm currently playing with and testing out the SIEM plugin. However, as soon as I feed it Auditbeat data, I seem to get a message error which I'm not really sure about. I thought that the SIEM would work natively with Auditbeat data. However, the (huge) error I'm receiving is:
[illegal_argument_exception] Fielddata is disabled on text fields by default. Set fielddata=true on [host.name] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead. (and) [illegal_argument_exception] Fielddata is disabled on text fields by default. Set fielddata=true on [host.name] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory.
I've tried looking around for similar issues but I'm not sure if those older issues relate to my current issue.
Sorry, actually the error should not have happened even without ./auditbeat setup (which is still important to run).
What seems to have happened is that it did not load the correct index template, and so the host.name field is not a keyword field. How did you set up Auditbeat? Which version is it? Did you modify the Auditbeat configuration? Do you know if there was an auditbeat-* index or index template already present in Elasticsearch before? Can you provide the full configuration and log of Auditbeat starting (with ./auditbeat -e)?
If you can (i.e. if you don't have any historical Auditbeat data you care about) the easiest thing to do would be to ensure that there are no Auditbeat indexes or templates around (run DELETE auditbeat-* and DELETE _template/auditbeat-* - please ONLY do this if you don't care about the existing Auditbeat data).
I deleted my old message as I figure out was the issue. I had to run the setup on the local machine for it to create the proper mappings/indexes/indices and now it works like a charm. Now I can start changing stuff and learn more about it.
For everyone else who might be reading this: Logstash creates text fields by default, which do not allow aggregations. So you have to set manage_template => false in the Logstash config for the Elasticsearch output, and load the index template from Beats using e.g. ./auditbeat setup (with output.elasticsearch enabled, then switch it off and enable output.logstash when running without setup).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.