Fielddata is disabled

Hello.

I upgraded from Elastic Stack version 6.8 to 7.4. I installed AudioBeat on all my servers, with the configuration below.

auditbeat.modules:

- module: auditd
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
  - /opt

- module: system
  datasets:
    - host    # General host information, e.g. uptime, IPs
    - login   # User logins, logouts, and system boots.
    - package # Installed, updated, and removed packages
    - process # Started and stopped processes
    - socket  # Opened and closed sockets
    - user    # User information

  user.detect_password_changes: true

  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*

setup.template.settings:
  index.number_of_shards: 1

setup.kibana:

  host: "http://yspp0051.ymdb.com.br:80"

output.elasticsearch:
  hosts: ["yspp0053.ymdb.com.br:9200"]

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

I set up SIEM on Elastic Stack and everything was normal until yesterday. Today is presenting the following error:


My mapping is:

https://justpaste.it/3hl4g

Can you help me solve? I'm new to Elastic Stack and I don't know much.

Can someone help me?

Thanks

Hi @Manoel, did you run ./auditbeat setup before running Auditbeat? This sets up the index with the proper data types. The error looks like it does not have the right ones.

Hello @cwurm, thanks for the support.

I scripted Ansible to automate the installation of AuditBeat on my 150 Linux servers. In the process I have the command: sudo auditbeat setup

In the log I can know which server is sending the wrong information?