[SIEM] Authentications table doesn't show 'Last Success/Failed Source' column if only 'source.ip' is present

I found solution here but i don't know how to implement it.

please help...

Can you please provide some more information.
What are you trying to do?
What problems are you facing?
What version of Elastic stack are you running?
How are you running Elastic stack? self hosted, elastic cloud,...

1 Like

Sorry for late reply.
It is self hosted Ubuntu server 20.04 TLS.

{
  "name" : "node-1",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "8LobUjvQQ-yDInaW6LkZwQ",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Sometimes it displays for few hosts Last successful/ failed source..

I just tested this out, locally by logging in using auditbeat into a Linux based system and things look ok where everything is showing up (i just blocked out the data):

It sometimes isn't going to show you last successful source or other fields if those aren't part of the events. It cannot show for example Last successful source if that particular event does not have source.ip within it. Instead it doesn't show anything.

For looking at source code since you're on 7.10.2, I would recommend using a link like the one below where it has /blob/v7.10 within it rather than a commit hash that is a moment in time:

So you can get to the closest version to what you currently have. I think this might be a case where depending on how enriched the logs are, you will get either data such as source.ip vs. if you do not have source.ip in your logs then we cannot display that information.

1 Like

Very strange... In Dashboard/[Winlogbeat Security]User Management Events I can see all source ips

But in SIEM/Hosts/Authentications only few random..

I think it might have to do with which events/logs it is taking them from. Also it is going to take from the very last record.

If you have 7.10.latest you should be able to determine which log(s) you want per page like so and select only winlogbeat to take a look? You might have other beats interfering without source.ip filled out?

Also, you can select the inspect query as I put above and then run the query in dev tooling to see if maybe there is a better query for us to use that would show the logs. But if you have source.ip and using the winlogbeat it should be showing up for authentication.

1 Like

Thanks for your time and effort.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.