Logstash - No Cached mapping

I'm using winlogbeat to ship event logs, and using a simple logstash configuration. It's not my configuration.
https://www.syspanda.com/index.php/2018/05/03/monitoring-active-directory-elk/

From what I can find it's something to do with the add_field.

Here is part of the config:

#Active Directory Logon
filter {
if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4624 or [event_id] == 4634 {
mutate {
remove_field => ["[message]"]
add_field => { "short_message" => "Logon Activity" }

Here is another part:

filter {
if "winlogbeat" in [tags] and [log_name] == "Security" and [event_data][LogonType] == "2" {
mutate {
add_field => { "Method" => "Interactive - Keyboard" }
}
}
else if [event_data][LogonType] == "3" {
mutate {
add_field => { "Method" => "Network Logon" }
}
}

The message in Kibana: No cached mapping for this field. Refresh field list from the Management > Index Patterns page.

I have, refreshed all the indexes, and even rebooted the server. Which didn't fix anything.

Which field is Kibana complaining about? Do you see that field in the Index Pattern you are using?

In the image, it's "Method" and the other fields that is having the same issue is "short_message" and "Statusmsg"

Here is part of the config for "Statusmsg"

filter {
if "winlogbeat" in [tags] and [log_name] == "Security" and [event_data][Status] == "0x0" {
mutate {
add_field => { "Statusmsg" => "Success" }
}
}
else if [event_data][Status] == "0x12" {
mutate {
add_field => { "Statusmsg" => "Account: disabled,expired,locked out,logon hours" }
}
}

And you are saying that when you go to the Management -> Index Patterns page and do a Refresh that message does not go away? If so, you should move this question to the Kibana forum.

That is correct, the reason I didn't put this in the Kibana forum is because I wasn't sure if the config was correct.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.