I found solution here but i don't know how to implement it.
please help...
I found solution here but i don't know how to implement it.
please help...
Can you please provide some more information.
What are you trying to do?
What problems are you facing?
What version of Elastic stack are you running?
How are you running Elastic stack? self hosted, elastic cloud,...
Sorry for late reply.
It is self hosted Ubuntu server 20.04 TLS.
{
"name" : "node-1",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "8LobUjvQQ-yDInaW6LkZwQ",
"version" : {
"number" : "7.10.2",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
"build_date" : "2021-01-13T00:42:12.435326Z",
"build_snapshot" : false,
"lucene_version" : "8.7.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Sometimes it displays for few hosts Last successful/ failed source..
I just tested this out, locally by logging in using auditbeat
into a Linux based system and things look ok where everything is showing up (i just blocked out the data):
It sometimes isn't going to show you last successful source or other fields if those aren't part of the events. It cannot show for example Last successful source
if that particular event does not have source.ip
within it. Instead it doesn't show anything.
For looking at source code since you're on 7.10.2, I would recommend using a link like the one below where it has /blob/v7.10
within it rather than a commit hash that is a moment in time:
So you can get to the closest version to what you currently have. I think this might be a case where depending on how enriched the logs are, you will get either data such as source.ip
vs. if you do not have source.ip
in your logs then we cannot display that information.
Very strange... In Dashboard/[Winlogbeat Security]User Management Events I can see all source ips
But in SIEM/Hosts/Authentications only few random..
I think it might have to do with which events/logs it is taking them from. Also it is going to take from the very last record.
If you have 7.10.latest you should be able to determine which log(s) you want per page like so and select only winlogbeat to take a look? You might have other beats interfering without source.ip filled out?
Also, you can select the inspect query as I put above and then run the query in dev tooling to see if maybe there is a better query for us to use that would show the logs. But if you have source.ip
and using the winlogbeat it should be showing up for authentication.
Thanks for your time and effort.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.