I am completely new to Elastic and scripting in general. I was told to install ElasticStack on our network for monitoring purposes.
I now have both Elasticsearch and Kibana installed. I am currently trying to create dashboards/visualizations for monitoring. It's great that it comes with a lot of pre-loaded fields and dashboards, but I am trying to create new fields/data views to create new dashboards.
I am trying to create a data view for all login attempts. Similar to the pre-loaded ssh login attempts (i.e. system.auth.ssh.events).
I tried following the 'Elastic Runtime Field example repository' I found online and few others, but it's not giving me the correct results, so I know I'm doing something wrong.
So far, I created the data view with the name 'system.auth.login.event', I enabled 'Set Value' and put the following in the 'Define Script' field:
if(!doc.containsKey('the password for the login keyring was invalid.')) {
emit('Login Failed');
}
When I go into Discover and select my new created field in the 'Available fields' column, I get millions of results, which I know is incorrect because if I search for just the string "the password for the login keyring was invalid" in the KQL filter, I get under 100 results.
Could someone please tell me the correct scripting or a document for me to better understand it? Thank you.
When I go into Discover and select my new created field in the 'Available fields' column, I get millions of results, which I know is incorrect because if I search for just the string "the password for the login keyring was invalid" in the KQL filter, I get under 100 results.
How do you search for the in KQL?
I guess the problem there is to select the right field in the condition:
if(!doc["<field here">].value === 'the password for the login keyring was invalid.') {
emit('Login Failed');
}
In this case, I specifically searched for the message that comes up in my logs on the machine (/var/log/secure), which is "the password for the login keyring was invalid."
When I search for that message in the KQL search bar, it comes with the following text (there's a lot more information that comes up, but I want to focus on the following):
"message": [
"gkr-pam: the password for the login keyring was invalid."
],
When I use the condition you mentioned, I get the following script error: class_cast_exception: Cannot cast from [boolean] to [java.lang.Object].
This is exactly was I entered:
if(!doc["message"].value === 'the password for the login keyring was invalid.') {
emit('Login Failed');
}
I'm assuming I replace "field here" with the field I found in the logs, which is "message". Is that correct?
Now I have the mapping as keyword (message.keyword) instead of match_text_only.
I tried the above code and replaced "message" with "message.keyword", but it errors out with the following message: No field found for [message.keyword] in mapping.
I'm still unsure of what to put exactly in the script field. Hopefully I'm on the right track.
The network my ElasticStack is on is air-gapped, so I'm unable to get any screenshots.
But to answer your questions.
Yes, I did add the new mappings before I reindexed it and I see the mappings when run a GET request.
In Discover, I do have access to the text field (message) and I see the keyword field for the new mapping (message.keyword) in the KQL search bar, but I do not see the message.keyword in the 'available fields' on the left column of Discover. I do however see message.keyword in the Dataviews under Stack Management.
Assuming you are on a relatively new version of Elastic Stack You will only see the single field name in the discover list of fields even though it is a multi-field.
The fact you can find it in the KQL bar is validation and you should be able to filter with the message.keyword on exact matches... Can you do that?
Ahh the Script! Here is a sample in the Data View... If you want to us it in queries you need to add it to the mapping as a runtime field ... you do NOT have to reindex for that
does the data view reference both indices that have the new mapping and some that do not have the new mapping... That seems likely that can be the issue....
The actual test document on the Right side of the last image can you find message.keyword in that document. I suspect not because the Index Pattern is Grabbing a document from some other document that does not have the message.keyword field
So I think you have mixed documents you can put some error handling let me figure out that... you have the worse kind of mixed some with message as text and some with message with text and keyword
Hello, sorry for the late response. I tried the code, but I still get the same error saying that the 'message.keyword' field was not found.
So I rolled back my ES VM from the last snapshot to when I didn't change any settings or mappings.
I read that if I'm just adding to a mapping, I do not need to reindex, which in this case I am just adding to it.
The index I'm adding to is a built-in index (which is hidden) called '.ds-logs-system-auth-default-YYYY.MM.DD-000001'
The section of the index I'm adding the mapping to looks like this:
After completing successfully, I see the field 'message.keyword' in my Data View and my KQL bar in Discover.
When I add a new field, i.e. 'login.events' and set value mentioned above (I tried everyone that was recommended), I still get the error that it cannot find the 'message.keyword' mapping.
Hi @jreyes25 I think there is a fundamental misunderstanding just adding a mapping to an existing index does not make the field available... it is like adding a column in a database now you have a new column but there is no data in it.
Just adding a field to the mapping does not put the data into that field... It just updates the schema.
You need to add that mapping to the template so that when a new index is when the data comes in it gets put into this field...
Do you have an event.original field? that is probably already a keyword
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.