See also attached screenshot:
I would expect IP-adresses in the column "Last failed source". This expectations is based on the timestamp in the column "Last failure".
Since this is not the case: what would it take to make that happen?
I'm running ES with Kibana version 7.6.1.; including the respective Auditbeat and Packetbeat shippers.
Hi, this is a question more about the data collection than Kibana (which only displays what data there is in ES).
You should try asking this in the Beats sub-forum.
Thank you for the response Marius.
While a valid possibility in itself, it is not the case here.
The data seems to be there - I have checked this with Discovery on the index Auditbeat => this is the data source for this part.
However, I'm not aware of something that can be used for a crosscheck => is Kibana reading from the same tables as Auditbeat is writing to.
I have a similar issue with Packetbeat and TLS: there seems to be a mismatch in the datascheme.
Ah, I just realized now that you are in the SIEM app. I apologize, at first sight it seemed like a table created in Discover. It might be the same issue, I'll ping the SIEM team about it.
Thanks Marius.
Let me know if there is anything I can do to help.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
