Issue with auditbeat 7.6.2 Dashboards

I have an elastic cloud instance, I'm trying to setup auditbeat for some threat hunting purposes

  1. I have installed auditbeat on a Linux server

  2. Enabled the below datasets

    • hosts
    • login
    • package
    • process
    • socket
    • user
  3. setup.dashboards.enabled: true

  4. Set the output to redis list --> Redis list to--->Elastic (Success)

  5. auditbeat setup --dashboards --> Success

I'm getting those data in elastic search successfully. When I open dashboards generated by auditbeat setup --dashboards command. It is showing various errors

The below are the some of the errors which I'm getting. Not even one dashboard loads without errors.

Saved "field" parameter is now invalid. Please select a new field.

[esaggs] > "field" is a required parameter

Could not locate that index-pattern-field (id: socket.entity_id)

When checked the index pattern I can see that certain fields which Dashboard throws errors are missing in the index pattern.

Could you please help me on how to fix this?

Regards
Karthik.K

Hi Admins,

Could you please shed some light here ?

Or does anyone need any more info. Kindly comment.

It will be really helpful if any one can assist.

Regards
Karthik.K

Since you are going through Redis, did you install the Elasticsearch index template for the auditbeat-* indices?

https://www.elastic.co/guide/en/beats/auditbeat/7.x/auditbeat-template.html

Hi Andrews,

Thanks for your reply.

Here I'm using redis to just ensure smooth polling of data to elastic. I'm not enhacing any data which audit beat send to redis.

So I want to use the available default index template which auditbeat creates if the data is send directly from beats to elastic.

Can you guide me how can I achieve this ?

Regards
Karthik.K

The documentation I linked to shows an example for when you are using the Logstash output. Just substitute redis for logstash in the commands. Like if you were on Linux

./auditbeat setup --index-management -E output.redis.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'

Thats wonderful..!!

I have added the below few lines which served the purpose.

 setup.template:
   name: "auditbeat"
   pattern: "auditbeat-*"
   fields: "/etc/auditbeat/fields.yml"
   enabled: true
   overwrite: true

setup.dashboards.enabled: true
setup.dashboards.index: "auditbeat-*"
setup.ilm.enabled: false

Here when I enable ilm it is automatically creating index in specific format. So inorder to avoid that I have disabled that.

But ilm is a good feature. I would like to have it. Is there any way I can enable ilm on a index with custom name ?

ILM ignores the setup.template.name and setup.template.pattern options. You need to use the defaults to have the built-in policy work. (source: https://www.elastic.co/guide/en/beats/auditbeat/current/ilm.html)

Setting up your own ILM policy is possible. You'll need to manage the template yourself and follow the steps in the ILM tutorial. But consider using the default index naming so you can use the automatic ILM setup. The indices include the version for a reason. It make upgrades easier and prevents conflicts in mappings/templates.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.