Fielddata is disabled

Manoel · November 6, 2019, 3:14pm

Hello.

I upgraded from Elastic Stack version 6.8 to 7.4. I installed AudioBeat on all my servers, with the configuration below.

auditbeat.modules:

- module: auditd
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
  - /opt

- module: system
  datasets:
    - host    # General host information, e.g. uptime, IPs
    - login   # User logins, logouts, and system boots.
    - package # Installed, updated, and removed packages
    - process # Started and stopped processes
    - socket  # Opened and closed sockets
    - user    # User information

  user.detect_password_changes: true

  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*

setup.template.settings:
  index.number_of_shards: 1

setup.kibana:

  host: "http://yspp0051.ymdb.com.br:80"

output.elasticsearch:
  hosts: ["yspp0053.ymdb.com.br:9200"]

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

I set up SIEM on Elastic Stack and everything was normal until yesterday. Today is presenting the following error:

My mapping is:

https://justpaste.it/3hl4g

Can you help me solve? I'm new to Elastic Stack and I don't know much.

Manoel · November 7, 2019, 11:54am

Can someone help me?

Thanks

cwurm · November 7, 2019, 3:10pm

Hi @Manoel, did you run ./auditbeat setup before running Auditbeat? This sets up the index with the proper data types. The error looks like it does not have the right ones.

Manoel · November 7, 2019, 5:22pm

Hello @cwurm, thanks for the support.

I scripted Ansible to automate the installation of AuditBeat on my 150 Linux servers. In the process I have the command: sudo auditbeat setup

In the log I can know which server is sending the wrong information?

fredrcc · November 22, 2019, 2:44pm

Hi Manoel did you find out what was the problem? I'm having the same issue with Filebeat and ES 7.4.2

cwurm · November 25, 2019, 11:52am

@Manoel ./auditbeat setup should be run only once, not more.

@Manoel, @fredrcc In general, you should run ./auditbeat setup once from an admin machine, then only run ./auditbeat on the monitored machines. You can test it works by running both against an empty Elasticsearch cluster. If it doesn't work in your environment, there must be some difference - e.g. you're not using the default index pattern, the setup command failed - or something else.

fredrcc · November 28, 2019, 5:51pm

I've run filebeat setup from the logstash server, because it's the only server with access to the ES and Kibana. Then I start filebeat from a client to send logs to my logstash.

I've tried to remove the filebeat index, index templates and dashboards and re-run filebeat setup again, but it didn't work too. There's any configuration else to remove to start a fresh filebeat setup on a production ES?

Regards.

system · December 26, 2019, 5:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.