Beat Dashboard Installation - Saved "field" parameter is now invalid


#1

I've just setup a completely new ELK environment and began testing it with the installation of Auditbeat on a Windows Server 2012 R2 machine.

When running the dashboard setup from Powershell it confirms successful installation and I can see the Visualisations and Dashboards in Kibana, however when clicking into any of the Dashboards I get the following two errors at the top of the page:

Saved "field" parameter is now invalid. Please select a new field.
Visualize: "field" is a required parameter

Likewise, clicking into the [Auditbeat File Integrity] Overview Dashboard I get the following errors on the page:

Could not locate that index-pattern-field (id: file.group)
Could not locate that index-pattern-field (id: file.path.raw)
Could not locate that index-pattern-field (id: file.mode)

Having removed the index, all visualisations, searches, dashboards etc and completed the setup again I still get the same error.

Have I missed something obvious?


(Nathan Reese) #2

Are you using the same version of Beats, Kibana, and Elasticsearch? What version are you running?


#3

Completely fresh install of Logstash, Elasticsearch and Kibana at 6.3.0.

Logstash config:

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => "x.x.x.x:9200"  #Bound to IPv4 address
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

The only data being shipped is a single server with Auditbeat on for testing purposes.

Auditbeat config (Windows Server 2012 R2)

auditbeat.modules:
- module: file_integrity
  paths:
  - C:/windows
  - C:/windows/system32
  - C:/Program Files
  - C:/Program Files (x86)
  
setup.template.settings:
  index.number_of_shards: 1

name: host.fqdn.local  #Machine's hostname running Auditbeat

setup.kibana:
  host: "x.x.x.x:5601"  #Kibana IP Address

output.logstash:
  hosts: ["x.x.x.x:5044"]  #Logstash IP Address

Dashboards setup using the following with the output from the config changed from logstash to elasticsearch:

./auditbeat setup -e

#4

As an additional, the More Info button at the top of the Dashboard screen shows the following error:

Visualize: "field" is a required parameter

TypeError: "field" is a required parameter
    at FieldParamType.write (http://x.x.x.x:5601/bundles/commons.bundle.js:3:1269032)
    at http://x.x.x.x:5601/bundles/commons.bundle.js:3:308531
    at AggParams.forEach (<anonymous>)
    at AggParams.write (http://x.x.x.x:5601/bundles/commons.bundle.js:3:308489)
    at AggConfig.write (http://x.x.x.x:5601/bundles/commons.bundle.js:3:70339)
    at AggConfig.toDsl (http://x.x.x.x:5601/bundles/commons.bundle.js:3:71279)
    at http://x.x.x.x:5601/bundles/commons.bundle.js:3:1426036
    at Array.forEach (<anonymous>)
    at AggConfigs.VisAggConfigsProvider.AggConfigs.toDsl (http://x.x.x.x:5601/bundles/commons.bundle.js:3:1425819)
    at http://x.x.x.x:5601/bundles/commons.bundle.js:3:503899
    at SearchSource.value (http://x.x.x.x:5601/bundles/commons.bundle.js:3:93766)
    at ittr (http://x.x.x.x:5601/bundles/commons.bundle.js:3:94975)
    at http://x.x.x.x:5601/bundles/vendors.bundle.js:3:19274
    at http://x.x.x.x:5601/bundles/vendors.bundle.js:3:29454
    at baseForOwn (http://x.x.x.x:5601/bundles/vendors.bundle.js:3:16415)
    at http://x.x.x.x:5601/bundles/vendors.bundle.js:3:29014

(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.