I have successfully transferred logs from winlog to logstash on prem to elastic/kibana cloud. I have created index pattern and discovered data. In order to test if everything works fine I went have created a new user on the machine where winlog is install. I can see this event in elastic as follow:
message:A user account was created. Subject: Security ID: S-1-5-21-3252654080-322283946-1054805376-1113 Account Name: maint_bjelen Account Domain: LAB01 Logon ID: 0x23732 New Account: Security ID: S-1-5-21-1541298375-2807357869-827505638-1005 Account Name: tryme Account Domain: LOGSTASH-CLOUD Attributes: SAM Account Name: tryme Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges -
The problem starts when I want to set Security detection. I have turned on default Rules and I am trying to use "User Account Creation." I have enabled the rule, but nothing gets detected. I am also getting following warning
The following indices are missing the timestamp override field "event.ingested": ["winlogbeat-7.13.0"]
I am also getting this error
{
"message": "status_exception",
"statusCode": 400,
"attributes": {
"type": "status_exception",
"reason": "error while executing search",
"caused_by": {
"type": "search_phase_execution_exception",
"reason": "all shards failed",
"phase": "query",
"grouped": true,
"failed_shards": [
{
"shard": 0,
"index": "winlogbeat-7.13.0",
"node": "oArFASb5Qzit5aB33VdcsQ",
"reason": {
"type": "illegal_argument_exception",
"reason": "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [host.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory."
}
}
],
"caused_by": {
"type": "illegal_argument_exception",
"reason": "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [host.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [host.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory."
}
}
}
}
}
Can you please advise ?