"This event cannot be analyzed since it has incompatible field mappings" On my own log


i am currently integrating our watchguard vpn logs into our Elasticsearch siem.

I basically build a logstash rule that takes its Syslog output and mapps it onto ECS.

While everthing now works as expected, i noticed that when i create Detections for it, i can't use the Analyze button.


Is there a way to figure out which field is wrongly mapped or which data this function needs?

Seeing this too, except in an Auditbeat entry.

I resolved the only unknown field I found, "network direction", but that did not resolve the issue.

Any luck figuring it out?

I'm guessing this explains it:

Looks like it may only be compatible with events from Winlogbeat with the sysmon module, or the endpoint agent.

Find events to analyzeedit

You can only visualize events triggered by hosts configured with the Elastic Endpoint Security Integration or any sysmon data from winlogbeat .

In KQL, this translates to any event with the agent.type set to either:

  • endpoint
  • winlogbeat with event.module set to sysmon

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.