I have recently rebuilt my elasticsearch and kibana infrastructure to 7.0 and reinstalled filebeat and metricbeat collectors to 7.0.
I currently collect access and error logs for apache2 (I have the module enabled) as well as system logs for syslog and auth (I have the module enabled as well).
I ran filebeat setup to load the dashboards and reloaded the config however the [Filebeat System] SSH login attempts ECS dashboard does display any data.
I have checked the data in the elasticsearch instance and it appears that there is auth log data from both hosts but maybe it is not parse or formatted correctly?
The [Filebeat Apache] Access and error logs ECS dashboard is working fine.
Can anyone provide any advice as to why the dashboard is not dispaying events for SSH auth and failed events.
Happy to provide any logs or configuration if required.