Fielddata is disabled


I upgraded from Elastic Stack version 6.8 to 7.4. I installed AudioBeat on all my servers, with the configuration below.


- module: auditd
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
- module: file_integrity
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
  - /opt

- module: system
    - host    # General host information, e.g. uptime, IPs
    - login   # User logins, logouts, and system boots.
    - package # Installed, updated, and removed packages
    - process # Started and stopped processes
    - socket  # Opened and closed sockets
    - user    # User information

  user.detect_password_changes: true

  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*

  index.number_of_shards: 1


  host: ""

  hosts: [""]

  - add_host_metadata: ~
  - add_cloud_metadata: ~

I set up SIEM on Elastic Stack and everything was normal until yesterday. Today is presenting the following error:

My mapping is:

Can you help me solve? I'm new to Elastic Stack and I don't know much.

Can someone help me?


Hi @Manoel, did you run ./auditbeat setup before running Auditbeat? This sets up the index with the proper data types. The error looks like it does not have the right ones.

Hello @cwurm, thanks for the support.

I scripted Ansible to automate the installation of AuditBeat on my 150 Linux servers. In the process I have the command: sudo auditbeat setup

In the log I can know which server is sending the wrong information?