Hello,
I can see logs in the discover app but no logs in the observability nor security app.
I'm using the wazuh module with filebeat. How could I troubleshoot this?
- debian buster
- elasticsearch 7.17.5 basic licence and single node.
- kibana
- filebeat 7.17.5 with the wazuh module
Thanks for your help!
Here are a part of the mapping of one index (I had too much characters for the post):
GET wazuh-alerts-*/_mapping
{
"wazuh-alerts-4.x-2022.09.20" : {
"mappings" : {
"dynamic_templates" : [
{
"string_as_keyword" : {
"match_mapping_type" : "string",
"mapping" : {
"type" : "keyword"
}
}
}
],
"date_detection" : false,
"properties" : {
"@timestamp" : {
"type" : "date"
},
"@version" : {
"type" : "text"
},
"GeoLocation" : {
"properties" : {
"area_code" : {
"type" : "long"
},
"city_name" : {
"type" : "keyword"
},
"continent_code" : {
"type" : "text"
},
"coordinates" : {
"type" : "double"
},
"country_code2" : {
"type" : "text"
},
"country_code3" : {
"type" : "text"
},
"country_name" : {
"type" : "keyword"
},
"dma_code" : {
"type" : "long"
},
"ip" : {
"type" : "keyword"
},
"latitude" : {
"type" : "double"
},
"location" : {
"type" : "geo_point"
},
"longitude" : {
"type" : "double"
},
"postal_code" : {
"type" : "keyword"
},
"real_region_name" : {
"type" : "keyword"
},
"region_name" : {
"type" : "keyword"
},
"timezone" : {
"type" : "text"
}
}
},
"agent" : {
"properties" : {
"id" : {
"type" : "keyword"
},
"ip" : {
"type" : "keyword"
},
"name" : {
"type" : "keyword"
}
}
},
"cluster" : {
"properties" : {
"name" : {
"type" : "keyword"
},
"node" : {
"type" : "keyword"
}
}
},
"command" : {
"type" : "keyword"
},
"data" : {
"properties" : {
"action" : {
"type" : "keyword"
},
"arch" : {
"type" : "keyword"
},
"audit" : {
"properties" : {
"acct" : {
"type" : "keyword"
},
"arch" : {
"type" : "keyword"
},
"auid" : {
"type" : "keyword"
},
"command" : {
"type" : "keyword"
},
"cwd" : {
"type" : "keyword"
},
"dev" : {
"type" : "keyword"
},
"directory" : {
"properties" : {
"inode" : {
"type" : "keyword"
},
"mode" : {
"type" : "keyword"
},
"name" : {
"type" : "keyword"
}
}
},
"egid" : {
"type" : "keyword"
},
"enforcing" : {
"type" : "keyword"
},
"euid" : {
"type" : "keyword"
},
"exe" : {
"type" : "keyword"
},
"execve" : {
"properties" : {
"a0" : {
"type" : "keyword"
},
"a1" : {
"type" : "keyword"
},
"a2" : {
"type" : "keyword"
},
"a3" : {
"type" : "keyword"
}
}
},
"exit" : {
"type" : "keyword"
},
"file" : {
"properties" : {
"inode" : {
"type" : "keyword"
},
"mode" : {
"type" : "keyword"
},
"name" : {
"type" : "keyword"
}
}
},
"fsgid" : {
"type" : "keyword"
},
"fsuid" : {
"type" : "keyword"
},
"gid" : {
"type" : "keyword"
},
"id" : {
"type" : "keyword"
},
"key" : {
"type" : "keyword"
},
"list" : {
"type" : "keyword"
},
"old-auid" : {
"type" : "keyword"
},
"old-ses" : {
"type" : "keyword"
},
"old_enforcing" : {
"type" : "keyword"
},
"old_prom" : {
"type" : "keyword"
},
"op" : {
"type" : "keyword"
},
"pid" : {
"type" : "keyword"
},
"ppid" : {
"type" : "keyword"
},
"prom" : {
"type" : "keyword"
},
"res" : {
"type" : "keyword"
},
"session" : {
"type" : "keyword"
},
"sgid" : {
"type" : "keyword"
},
"srcip" : {
"type" : "keyword"
},
"subj" : {
"type" : "keyword"
},
"success" : {
"type" : "keyword"
},
"suid" : {
"type" : "keyword"
},
"syscall" : {
"type" : "keyword"
},
"tty" : {
"type" : "keyword"
},
"type" : {
"type" : "keyword"
},
"uid" : {
"type" : "keyword"
}
}
},
"aws" : {
"properties" : {
"accountId" : {
"type" : "keyword"
},
"bytes" : {
"type" : "long"
},
"createdAt" : {
"type" : "date"
},
"dstaddr" : {
"type" : "ip"
},
"end" : {
"type" : "date"
},
"log_info" : {
"properties" : {
"s3bucket" : {
"type" : "keyword"
}
}
},
"region" : {
"type" : "keyword"
},
"resource" : {
"properties" : {
"instanceDetails" : {
"properties" : {
"launchTime" : {
"type" : "date"
},
"networkInterfaces" : {
"properties" : {
"privateIpAddress" : {
"type" : "ip"
},
"publicIp" : {
"type" : "ip"
}
}
}
}
}
}
},
"service" : {
"properties" : {
"action" : {
"properties" : {
"networkConnectionAction" : {
"properties" : {
"remoteIpDetails" : {
"properties" : {
"geoLocation" : {
"type" : "geo_point"
},
"ipAddressV4" : {
"type" : "ip"
}
}
}
}
}
}
},
"count" : {
"type" : "long"
},
"eventFirstSeen" : {
"type" : "date"
},
"eventLastSeen" : {
"type" : "date"
}
}
},
"source" : {
"type" : "keyword"
},
"source_ip_address" : {
"type" : "ip"
},
"srcaddr" : {
"type" : "ip"
},
"start" : {
"type" : "date"
},
"updatedAt" : {
"type" : "date"
}
}
},
"cis" : {
"properties" : {
"benchmark" : {
"type" : "keyword"
},
"error" : {
"type" : "long"
},
"fail" : {
"type" : "long"
},
"group" : {
"type" : "keyword"
},
"notchecked" : {
"type" : "long"
},
"pass" : {
"type" : "long"
},
"result" : {
"type" : "keyword"
},
"rule_title" : {
"type" : "keyword"
},
"score" : {
"type" : "long"
},
"timestamp" : {
"type" : "keyword"
},
"unknown" : {
"type" : "long"
}
}
},
"command" : {
"type" : "keyword"
},
"data" : {
"type" : "keyword"
},
"docker" : {
"properties" : {
"Action" : {
"type" : "keyword"
},
"Actor" : {
"properties" : {
"Attributes" : {
"properties" : {
"image" : {
"type" : "keyword"
},
"name" : {
"type" : "keyword"
}
}
}
}
},
"Type" : {
"type" : "keyword"
}
}
},
"dpkg_status" : {
"type" : "keyword"
},
"dstip" : {
"type" : "keyword"
},
"dstport" : {
"type" : "keyword"
},
"dstuser" : {
"type" : "keyword"
},
"extra_data" : {
"type" : "keyword"
},
"gcp" : {
"properties" : {
"jsonPayload" : {
"properties" : {
"authAnswer" : {
"type" : "keyword"
},
"queryName" : {
"type" : "keyword"
},
"responseCode" : {
"type" : "keyword"
},
"vmInstanceId" : {
"type" : "keyword"
},
"vmInstanceName" : {
"type" : "keyword"
}
}
},
"resource" : {
"properties" : {
"labels" : {
"properties" : {
"location" : {
"type" : "keyword"
},
"project_id" : {
"type" : "keyword"
},
"source_type" : {
"type" : "keyword"
}
}
},
"type" : {
"type" : "keyword"
}
}
},
"severity" : {
"type" : "keyword"
}
}
},
"gid" : {
"type" : "keyword"
},
"github" : {
"properties" : {
"action" : {
"type" : "keyword"
},
"actor" : {
"type" : "keyword"
},
"actor_location" : {
"properties" : {
"country_code" : {
"type" : "keyword"
}
}
},
"org" : {
"type" : "keyword"
},
"repo" : {
"type" : "keyword"
}
}
},
"hardware" : {
"properties" : {
"cpu_cores" : {
"type" : "long"
},
"cpu_mhz" : {
"type" : "double"
},
"cpu_name" : {
"type" : "keyword"
},
"ram_free" : {
"type" : "long"
},
"ram_total" : {
"type" : "long"
},
"ram_usage" : {
"type" : "long"
},
"serial" : {
"type" : "keyword"
}
}
},
"home" : {
"type" : "keyword"
},
"id" : {
"type" : "keyword"
},
"integration" : {
"type" : "keyword"
},
"netinfo" : {
"properties" : {
"iface" : {
"properties" : {
"adapter" : {
"type" : "keyword"
},
"ipv4" : {
"properties" : {
"address" : {
"type" : "keyword"
},
"broadcast" : {
"type" : "keyword"
},
"dhcp" : {
"type" : "keyword"
},
"gateway" : {
"type" : "keyword"
},
"metric" : {
"type" : "long"
},
"netmask" : {
"type" : "keyword"
}
}
},
"ipv6" : {
"properties" : {
"address" : {
"type" : "keyword"
},
"broadcast" : {
"type" : "keyword"
},
"dhcp" : {
"type" : "keyword"
},
"gateway" : {
"type" : "keyword"
},
"metric" : {
"type" : "long"
},
"netmask" : {
"type" : "keyword"
}
}
},
"mac" : {
"type" : "keyword"
},
"mtu" : {
"type" : "long"
},
"name" : {
"type" : "keyword"
},
"rx_bytes" : {
"type" : "long"
},
"rx_dropped" : {
"type" : "long"
},
"rx_errors" : {
"type" : "long"
},
"rx_packets" : {
"type" : "long"
},
"state" : {
"type" : "keyword"
},
"tx_bytes" : {
"type" : "long"
},
"tx_dropped" : {
"type" : "long"
},
"tx_errors" : {
"type" : "long"
},
"tx_packets" : {
"type" : "long"
},
"type" : {
"type" : "keyword"
}
}
}
}
},
"office365" : {
"properties" : {
"Actor" : {
"properties" : {
"ID" : {
"type" : "keyword"
}
}
},
"ClientIP" : {
"type" : "keyword"
},
"Operation" : {
"type" : "keyword"
},
"ResultStatus" : {
"type" : "keyword"
},
"Subscription" : {
"type" : "keyword"
},
"UserId" : {
"type" : "keyword"
}
}
},
"os" : {
"properties" : {
"architecture" : {
"type" : "keyword"
},
"build" : {
"type" : "keyword"
},
"codename" : {
"type" : "keyword"
},
"display_version" : {
"type" : "keyword"
},
"hostname" : {
"type" : "keyword"
},
"major" : {
"type" : "keyword"
},
"minor" : {
"type" : "keyword"
},
"name" : {
"type" : "keyword"
},
"patch" : {
"type" : "keyword"
},
"platform" : {
"type" : "keyword"
},
"release" : {
"type" : "keyword"
},
"release_version" : {
"type" : "keyword"
},
"sysname" : {
"type" : "keyword"
},
"version" : {
"type" : "keyword"
}
}
},
"scan" : {
"properties" : {
"benchmark" : {
"properties" : {
"id" : {
"type" : "keyword"
}
}
},
"content" : {
"type" : "keyword"
},
"id" : {
"type" : "keyword"
},
"profile" : {
"properties" : {
"id" : {
"type" : "keyword"
},
"title" : {
"type" : "keyword"
}
}
},
"return_code" : {
"type" : "long"
},
"score" : {
"type" : "double"
}
}
}
}
},
"osquery" : {
"properties" : {
"action" : {
"type" : "keyword"
},
"calendarTime" : {
"type" : "keyword"
},
"name" : {
"type" : "keyword"
},
"pack" : {
"type" : "keyword"
}
}
},
"package" : {
"type" : "keyword"
},
"port" : {
"properties" : {
"inode" : {
"type" : "long"
},
"local_ip" : {
"type" : "ip"
},
"local_port" : {
"type" : "long"
},
"pid" : {
"type" : "long"
},
"process" : {
"type" : "keyword"
},
"protocol" : {
"type" : "keyword"
},
"remote_ip" : {
"type" : "ip"
},
"remote_port" : {
"type" : "long"
},
"rx_queue" : {
"type" : "long"
},
"state" : {
"type" : "keyword"
},
"tx_queue" : {
"type" : "long"
}
}
},
"process" : {
"properties" : {
"args" : {
"type" : "keyword"
},
"cmd" : {
"type" : "keyword"
},
"egroup" : {
"type" : "keyword"
},
"euser" : {
"type" : "keyword"
},
"fgroup" : {
"type" : "keyword"
},
"name" : {
"type" : "keyword"
},
"nice" : {
"type" : "long"
},
"nlwp" : {
"type" : "long"
},
"pgrp" : {
"type" : "long"
},
"pid" : {
"type" : "long"
},
"ppid" : {
"type" : "long"
},
"priority" : {
"type" : "long"
},
"processor" : {
"type" : "long"
},
"resident" : {
"type" : "long"
},
"rgroup" : {
"type" : "keyword"
},
"ruser" : {
"type" : "keyword"
},
"session" : {
"type" : "long"
},
"sgroup" : {
"type" : "keyword"
},
"share" : {
"type" : "long"
},
"size" : {
"type" : "long"
},
"start_time" : {
"type" : "long"
},
"state" : {
"type" : "keyword"
},
"stime" : {
"type" : "long"
},
"suser" : {
"type" : "keyword"
},
"tgid" : {
"type" : "long"
},
"tty" : {
"type" : "long"
},
"utime" : {
"type" : "long"
},
"vm_size" : {
"type" : "long"
}
}
},
"program" : {
"properties" : {
"architecture" : {
"type" : "keyword"
},
"description" : {
"type" : "keyword"
},
"format" : {
"type" : "keyword"
},
"install_time" : {
"type" : "keyword"
},
"location" : {
"type" : "keyword"
},
"multiarch" : {
"type" : "keyword"
},
"name" : {
"type" : "keyword"
},
"priority" : {
"type" : "keyword"
},
"section" : {
"type" : "keyword"
},
"size" : {
"type" : "long"
},
"source" : {
"type" : "keyword"
},
"vendor" : {
"type" : "keyword"
},
"version" : {
"type" : "keyword"
}
}
},
"protocol" : {
"type" : "keyword"
},
"pwd" : {
"type" : "keyword"
},
"virustotal" : {
"properties" : {
"description" : {
"type" : "keyword"
},
"error" : {
"type" : "keyword"
},
"found" : {
"type" : "keyword"
},
"malicious" : {
"type" : "keyword"
},
"permalink" : {
"type" : "keyword"
},
"positives" : {
"type" : "keyword"
},
"scan_date" : {
"type" : "keyword"
},
"sha1" : {
"type" : "keyword"
},
"source" : {
"properties" : {
"alert_id" : {
"type" : "keyword"
},
"file" : {
"type" : "keyword"
},
"md5" : {
"type" : "keyword"
},
"sha1" : {
"type" : "keyword"
}
}
},
"total" : {
"type" : "keyword"
}
}
},
"vulnerability" : {
"properties" : {
"assigner" : {
"type" : "keyword"
},
"cve" : {
"type" : "keyword"
},
"cve_version" : {
"type" : "keyword"
},
"cvss" : {
"properties" : {
"cvss2" : {
"properties" : {
"base_score" : {
"type" : "keyword"
},
"exploitability_score" : {
"type" : "keyword"
},
"impact_score" : {
"type" : "keyword"
},
"vector" : {
"properties" : {
"access_complexity" : {
"type" : "keyword"
},
"attack_vector" : {
"type" : "keyword"
},
"authentication" : {
"type" : "keyword"
},
"availability" : {
"type" : "keyword"
},
"confidentiality_impact" : {
"type" : "keyword"
},
"integrity_impact" : {
"type" : "keyword"
},
"privileges_required" : {
"type" : "keyword"
},
"scope" : {
"type" : "keyword"
},
"user_interaction" : {
"type" : "keyword"
}
}
}
}
},
"cvss3" : {
"properties" : {
"base_score" : {
"type" : "keyword"
},
"exploitability_score" : {
"type" : "keyword"
},
"impact_score" : {
"type" : "keyword"
},
"vector" : {
"properties" : {
"access_complexity" : {
"type" : "keyword"
},
"attack_vector" : {
"type" : "keyword"
},
"authentication" : {
"type" : "keyword"
},
"availability" : {
"type" : "keyword"
},
"confidentiality_impact" : {
"type" : "keyword"
},
"integrity_impact" : {
"type" : "keyword"
},
"privileges_required" : {
"type" : "keyword"
},
"scope" : {
"type" : "keyword"
},
"user_interaction" : {
"type" : "keyword"
}
}
}
}
}
}
},
"cwe_reference" : {
"type" : "keyword"
},
"package" : {
"properties" : {
"architecture" : {
"type" : "keyword"
},
"condition" : {
"type" : "keyword"
},
"generated_cpe" : {
"type" : "keyword"
},
"name" : {
"type" : "keyword"
},
"source" : {
"type" : "keyword"
},
"version" : {
"type" : "keyword"
}
}
},
"published" : {
"type" : "date"
},
"rationale" : {
"type" : "keyword"
},
"severity" : {
"type" : "keyword"
},
"title" : {
"type" : "keyword"
},
"updated" : {
"type" : "date"
}
}
}
}
},
"decoder" : {
"properties" : {
"accumulate" : {
"type" : "long"
},
"fts" : {
"type" : "long"
},
"ftscomment" : {
"type" : "keyword"
},
"name" : {
"type" : "keyword"
},
"parent" : {
"type" : "keyword"
}
}
},
"full_log" : {
"type" : "text"
},
"host" : {
"type" : "keyword"
},
"id" : {
"type" : "keyword"
},
"input" : {
"properties" : {
"type" : {
"type" : "keyword"
}
}
},
"location" : {
"type" : "keyword"
}
}
}
}
}
