SIEM App does not display Hostnames from Beats Events

Elastic Security SIEM
1

Hi,

we have some problems using the SIEM App and Displaying Hostnames on the Hosts Page if it comes to a setup where you use:
Beats -> Logstash -> Logstash -> Elastic
All components are using up to date V7.6.0
Beats can be Auditbeat and Winlogbeat in our case. I know, that if you use a Logstash to Logstah communication you can't use
"index => "%{[@metadata][beat]}-%{[@metadata][version]}" as indexname value in LS as Logstash does not preserve this information. So we are using agent type and version to set index name/pattern, which is working fine.

The index templates and patterns for Auditbeat and Winlogbeat are setted up manually, and "Discover" displays them correctly.
All logs have the "host.name" field included, which is, as far as i understood, important for the SIEM App to populate the Hosts Page with Hostnames for Events coming from any possible logsource.

Something more which I can check ?
Thanks for any advise on this.

Br
Christopher

2

Hi,

Indeed, host.name is what the SIEM app uses to populate the hosts tables. As long as that field is a keyword field, things should work fine.

Can you check the Elasticsearch mapping for the auditbeat-* and paste us the mapping for host? In Kibana Console you can do:

GET /auditbeat-*/_mapping

And then look for the host properties.

3

Hi tudor,

thx for answering. Here is the host properties part of the auditbeat-*/_mapping. I think that it is defined as a keyword:

{
  "auditbeat-7.6.0-2020.02.18" : {
    "mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },
...    
...
...
"host" : {
          "properties" : {
            "architecture" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            },
            "containerized" : {
              "type" : "boolean"
            },
            "hostname" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            },

Br
Christopher

4

In the above, I see host.hostname defined as text and host.hostname.keyword defined as keyword. I assume it's the same for host.name.

It sounds like you don't have the right mapping template loaded for the Beats data. See this guide on how to load the template manually. It normally happens automatically when you use Beats -> Elasticsearch directly, but when there's Logstash in-between you need to do that manually.

Note that the template is applied only when new indicies are created, so you might have to either drop the current indices or do an index rotation.

1 Like
5

I went right through the alternate method for loading beats index templates. So is asume that the index templates are correct, as they have been created by auditbeat and winlogbeat itself.

I'm going to reindex the indices to use the right templates, as I was missing this step.

6

Reindexing on the correct Index Templates solved the problem.

What about using own index templates for custom log sources ? Use of ECS is clear, but correct Index Templates seems to me as one of the key config steps, too. (Beside adding the index patterns to SIEM App config) Is there any additional information on how to define correct index templates for custom logsources to be able to have this data in the SIEM App ?

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.