Error in Dashboard/ [filebeat System]

Hi Team,

I am getting error (as attached) when clicked in Dashboard and selected file-beat, here I am getting error for tabs Sudo commands | SSH logins | New users and groups. How can I see all this information.

I have enabled filebeat system module so I can see logs coming to syslog tab but at right side bottom error windows pops up as save "field" parameter is now invalid. Please select a new field. and Error in visualization. [esaggs] > is a required parameter.

elasticsearch version - 7.4.0
kibana - 7.4.0
filebeat - 7.4.0
Can you please help to solve this.


Try to refresh your index pattern.

If that doesn't work might want to delete those dashboards and visualizations and re-import the dashboards.

Hi @aaron-nimocks,

Thanks for your reply.

I refreshred field list for filebeat-* in Index Patterns and tried to see Dashboard for [Filebeat System] but its still showing those errors.

deleting dashboards looks ok - I need to go into Dashboards and delete SSH login attempts ECS, New users and groups ECS, Sudo commands ECS

and same thing need to repeat in Visualizations tab.

for re-importing, the documents says If you’ve configured the Logstash output, see Load dashboards for Logstash output but in my case kafka output is enabled (I am saying this because output.kafka is mentioned in filebeat.yml)

so how can I re-import filebeat dashboards and visualisations when filebeat is sending data to kafka.


By running ./filebeat setup --dashboards in the command line it can do it manually. You need to have your Kibana settings in the yml file for this to work.

Hi @aaron-nimocks,

I deleted each (sudo commands, SSH logins, New users and groups) from Dashboard and Visualize tab and ran
filebeat setup --dashboards
it gave output as,
Loading dashboards (kibana must be running and reachable)
Loaded dashboards

it is still showing same errors in Dashboards for [filebeat system] for Sudo commands, SSH logins etc..

I also restarted filebeat service but no luck.

I have below in filebeat.yml

    host: "localhost:8601"
    username: elastic
    password: Password

its a single cluster so kibana also running on same node and kibana service is running.

In your index and pattern do you see system.auth.ssh.event?

Does your system module config have it enabled?

do you mean to say Index Patterns?
I can't see system.auth.ssh.event in Index Patterns ---> filebeat-*
Inside it i have searched system.auth.ssh.event in Filter search bar.

(actually in index pattern, I can see two filebeat-* (one has 33 Fields and other has 570 Fields) may be due to some issue). I have checked in both of them.

system module is enabled and I can see it in Enabled after running filebeat modules list command. The /etc/filebeat/modules.d/system.yml is default, i.e haven't changes anything in it.

If you don't have any fields then I don't think you are getting that data.

- module: system
    enabled: true
    var.paths: ["/path/to/log/syslog*"]
    enabled: true
    var.paths: ["/path/to/log/auth.log*"]

I'd start by verifying the path to the logs for auth and seeing if it's correct and does the log have the correct data.

this is /etc/filebeat/modules.d/system.yml

# Module: system
# Docs:

- module: system
  # Syslog
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.

  # Authorization logs
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.

assuming it's looking for data into /var/log/syslog for default path.

I can't search any word for ssh,sudo or user in syslog file.

Do you mean to say because I am not getting any ssh related messages or sudo related logs in syslog file, its not showing data for those dashboard ?

Correct. Syslog won't get that data. Auth logs will.

Need to find those logs for your system and make sure that data is being generated. Usually auditd module will do this with filebeats.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.