I have an elastic cloud instance, I'm trying to setup auditbeat for some threat hunting purposes
I have installed auditbeat on a Linux server
Enabled the below datasets
hosts
login
package
process
socket
user
setup.dashboards.enabled: true
Set the output to redis list --> Redis list to--->Elastic (Success)
auditbeat setup --dashboards --> Success
I'm getting those data in elastic search successfully. When I open dashboards generated by auditbeat setup --dashboards command. It is showing various errors
The below are the some of the errors which I'm getting. Not even one dashboard loads without errors.
Saved "field" parameter is now invalid. Please select a new field.
[esaggs] > "field" is a required parameter
Could not locate that index-pattern-field (id: socket.entity_id)
When checked the index pattern I can see that certain fields which Dashboard throws errors are missing in the index pattern.
The documentation I linked to shows an example for when you are using the Logstash output. Just substitute redis for logstash in the commands. Like if you were on Linux
Setting up your own ILM policy is possible. You'll need to manage the template yourself and follow the steps in the ILM tutorial. But consider using the default index naming so you can use the automatic ILM setup. The indices include the version for a reason. It make upgrades easier and prevents conflicts in mappings/templates.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.