I've just setup a completely new ELK environment and began testing it with the installation of Auditbeat on a Windows Server 2012 R2 machine.
When running the dashboard setup from Powershell it confirms successful installation and I can see the Visualisations and Dashboards in Kibana, however when clicking into any of the Dashboards I get the following two errors at the top of the page:
Saved "field" parameter is now invalid. Please select a new field.
Visualize: "field" is a required parameter
Likewise, clicking into the [Auditbeat File Integrity] Overview Dashboard I get the following errors on the page:
Could not locate that index-pattern-field (id: file.group)
Could not locate that index-pattern-field (id: file.path.raw)
Could not locate that index-pattern-field (id: file.mode)
Having removed the index, all visualisations, searches, dashboards etc and completed the setup again I still get the same error.
Have I missed something obvious?
Are you using the same version of Beats, Kibana, and Elasticsearch? What version are you running?
Completely fresh install of Logstash, Elasticsearch and Kibana at 6.3.0.
Logstash config:
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => "x.x.x.x:9200" #Bound to IPv4 address
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
The only data being shipped is a single server with Auditbeat on for testing purposes.
Auditbeat config (Windows Server 2012 R2)
auditbeat.modules:
- module: file_integrity
paths:
- C:/windows
- C:/windows/system32
- C:/Program Files
- C:/Program Files (x86)
setup.template.settings:
index.number_of_shards: 1
name: host.fqdn.local #Machine's hostname running Auditbeat
setup.kibana:
host: "x.x.x.x:5601" #Kibana IP Address
output.logstash:
hosts: ["x.x.x.x:5044"] #Logstash IP Address
Dashboards setup using the following with the output from the config changed from logstash to elasticsearch:
./auditbeat setup -e
As an additional, the More Info button at the top of the Dashboard screen shows the following error:
Visualize: "field" is a required parameter
TypeError: "field" is a required parameter
at FieldParamType.write (http://x.x.x.x:5601/bundles/commons.bundle.js:3:1269032)
at http://x.x.x.x:5601/bundles/commons.bundle.js:3:308531
at AggParams.forEach (<anonymous>)
at AggParams.write (http://x.x.x.x:5601/bundles/commons.bundle.js:3:308489)
at AggConfig.write (http://x.x.x.x:5601/bundles/commons.bundle.js:3:70339)
at AggConfig.toDsl (http://x.x.x.x:5601/bundles/commons.bundle.js:3:71279)
at http://x.x.x.x:5601/bundles/commons.bundle.js:3:1426036
at Array.forEach (<anonymous>)
at AggConfigs.VisAggConfigsProvider.AggConfigs.toDsl (http://x.x.x.x:5601/bundles/commons.bundle.js:3:1425819)
at http://x.x.x.x:5601/bundles/commons.bundle.js:3:503899
at SearchSource.value (http://x.x.x.x:5601/bundles/commons.bundle.js:3:93766)
at ittr (http://x.x.x.x:5601/bundles/commons.bundle.js:3:94975)
at http://x.x.x.x:5601/bundles/vendors.bundle.js:3:19274
at http://x.x.x.x:5601/bundles/vendors.bundle.js:3:29454
at baseForOwn (http://x.x.x.x:5601/bundles/vendors.bundle.js:3:16415)
at http://x.x.x.x:5601/bundles/vendors.bundle.js:3:29014