No data displaying in dashboard - [Filebeat System] SSH login attempts ECS

bradfordaemorton · April 23, 2019, 6:05am

I have recently rebuilt my elasticsearch and kibana infrastructure to 7.0 and reinstalled filebeat and metricbeat collectors to 7.0.

I currently collect access and error logs for apache2 (I have the module enabled) as well as system logs for syslog and auth (I have the module enabled as well).

I ran filebeat setup to load the dashboards and reloaded the config however the [Filebeat System] SSH login attempts ECS dashboard does display any data.

I have checked the data in the elasticsearch instance and it appears that there is auth log data from both hosts but maybe it is not parse or formatted correctly?

The [Filebeat Apache] Access and error logs ECS dashboard is working fine.

Can anyone provide any advice as to why the dashboard is not dispaying events for SSH auth and failed events.

Happy to provide any logs or configuration if required.

Cheers,
Brad

bradfordaemorton · April 23, 2019, 9:51am

Ok, it appears the date and time of the events is out by 12 hours. I worked out why this happening but I can't fix it. The servers are set to AU timezone with NTP sync enables. Time of the event in auth.log are correct but ingest into elastic and visualisation in kibana appear to be wrong and scewing the data.

Any ideas?

system · May 21, 2019, 9:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.