Hi all
I've been playing around with ELK at work for viewing our windows logs but not all the data is showing up in the SIEM module. It seems to be having an issue grabbing it with a "Fielddata is disabled on text fields by default" on various fields.
A little info on our setup, we have are using windows forwarding to send windows server logs to a central windows event collector server and we also have sysmon logs for clients and server forwarded there. Then winlogbeat is sending the logs to our ELK server via logstash. I just updated to winlogbeat and ELK 7.6 earlier this week. I have our data being split into a different indexes on ELK, index for security log, index for sysmon logs, etc.. I dont know if I had the template setup correctly initially but I think I do now.
Any suggestions to help with the issue of " Fielddata is disabled on text fields by default" issue with the SIEM page would be helpful.
Thanks