Hello!
Just upgrade Kibana and Elasticsearch from 7.8 to 7.15.1 and found, that Failure authentications not displayed at "security-hosts-authentications". With Success auth all good and they displayed at Authentications section. But fail auth I see only at User authentications counters. What could be the problem with?
Found, that failure auth provide username at "user.effective.name" and success auth at "user.name".
Dashboard request require "user.name" field. How I can resolve this problem? Maybe I can rename "user.effective.name" at "user.name" or change dashboard request?
There has probably been a change in mapping between the two versions. You can either change the dashboard to use the new field name or use a field alias to point to the new name.
Can you say, how I can modify standart Dashboard? (for example "Inspect Authentications")?
if they are in the Dashboards app, just select switch to edit mode in the top right of the screen and then you can edit any visualization on that dashboard.
Maybe you can help with alias? What i should add to index template alias for rename user.effective.name to user.name?
Downgrade to 7.8.1 auditbeat - all works fine.. But it's not good way
Yes, if that is done, you don't need to upgrade the dashboard. If it's a dashboard shipped with Auditbeat, you can import the news ones after upgrading auditbeat to 7.15.1.
Problem was solved - removed old index pattern, update pattern and configure processors drop_event at auditbeat config.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.