Rules failing

Hi,

I have several rules that come back as Failed after running. I'm getting the following error for many rules. The field names for the unknown column message varies among the different rules.

An error occurred during rule execution: message: "verification_exception
              Root causes:
                             verification_exception: Found 2 problems
line 2:9: Unknown column [winlog.event_data.CallTrace]
line 12:6: Unknown column [winlog.event_data.TargetImage]"

I haven't looked at all the Failed rules yet, but so far, the ones I have looked at all depend on the Windows integration for the Elastic Agent. I look at the exported fields listed in the Windows integration and it includes both winlog.event_data.CallTrace and winlog.event_data.TargetImage but when I go to Stack Management > Data Views > logs-* and search on those fields, they are not listed.

Not sure why the Elastic Agent isn't passing these fields back. Some of the other fields referenced as unknown columns are:

winlog.event_data.GrantedAccess
process.parent.name
winlog.event_data.EnabledPrivilegeList

I'm running on-prem enterprise licensed cluster at v8.11.2.

Thanks,
Brad

Hi,

I would suggest finding the ingest pipeline that receives those logs, loading a test log, and testing the pipeline to intercept any errors during ingestion.

Thanks yago. Your suggestion made me go back and look again at the documentation for the Windows integration. In the Changelog section, 1.17.0 notes that most of the fields were moved to Sysmon operational fields. I didn't have the Sysmon channel enabled in the Windows integration.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.