Filebeat module's fields in SIEM columns

radovan · March 3, 2021, 11:00am

Hi,

after upgrading our cluster from 7.10.2 to 7.11.1 we can no more see values of filebeat module's fields in columns, for example suricata's fields (screenshot below),

although they are included in the signal's fields.

Suricata module is parsed through logstash ingest pipeline and the pipeline and filebeat on the host are upgraded to the latest version. In the suricata index, suricata fields have their appropriate mappings, but the situation is not the same in the signals index, as you can see on the picture above, where suricata fields have question mark instead of field type.

What should I do to acquire the same mapping, or something else, that would lead to previous behaviour before upgrade, where I could normally see the fields' values in the columns for non-directly ECS fields?

Frank_Hassanabad · March 5, 2021, 7:42pm

We have an issue for it you can watch here. Un-indexed fields aren't being shown in the columns:

system · April 2, 2021, 7:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Suricata module not working as expected Beats filebeat	8	2579	May 27, 2019
Filebeat - json imports Beats filebeat	2	571	September 25, 2019
The suricata results shown on the [filebeat dashboard] are different from the results shown in the [security -> alerts] on kibana SIEM	2	44	October 29, 2024
Just one unknown field - Filebeat json parsing Beats filebeat	5	1071	July 2, 2020
SIEM does not show data SIEM	8	1494	May 21, 2020

Filebeat module's fields in SIEM columns

Related Topics