I am using auditbeat 7.5.2 (I also tried with autibeat 7.5.1). Auditbeat sends
data to logstash and logstash to elasticsearch.
This is how the beats input in logstash is configured:
input {
if 1 == 1 {
beats {
id => 'beat-input'
port => 5044
host => '192.168.1.4'
ssl => true
ssl_certificate => '/etc/logstash/certs/beat_input/logstash.crt'
ssl_certificate_authorities => '/etc/logstash/certs/beat_input/ca.crt'
ssl_key => '/etc/logstash/certs/beat_input/logstash.p8'
ssl_verify_mode => 'force_peer'
}
}
}
In auditbeat I have enabled the process module. When I go to kibana and search
for agent.type = auditbeat and event.module = process, then I receive an
error:
1 of 41 shards failed
Type: illegal_argument_exception
Reason: Field [process.created] of type [keyword] does not support custom formats
Some records do get returned. But none of them have a process.created field.
I also checked auditbeat's template that I have inserted into elasticsearch and
there is no such field there either.
How could I eliminate this error?
I am not doing any custom index field or template work. I am just using what is
already there. Am I doing sth wrong?
Is this a bug I should report?