Good morning,
I am unable to see my logs in Kibana (Discovery) after I apply an index template. At first, I mapped all fields (I deleted some) and after I saw it didn't work, I started out mapping only 2 fields of the many that there are. Can anyone help?
I'll explain exactly what I did
1.- I simulated the entrance of logs using a pipeline with DevOps
POST syslog-sophos.xg-2022.12.19/_doc?pipeline=logs-sophos.xg-2.5.1
{
"@timestamp" : "2022-12-19T11:41:28.162308Z",
"@version" : "1",
"event" : {
"original" : "<182>device="SFW" date=2022-12-19 time=11:41:35 timezone="CET" device_name="XGS2300" device_id=X2300000009743 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=...... ""
},
"host" : {
"ip" : "192.168.10.220"
},
"message" : "<182>device="SFW" date=2022-12-19 time=11:41:35 timezone="CET" device_name="XGS2300" device_id=X2300000009743 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=...... "
}
2.- The indexes were correctly created and I was able to query them from the console AND from Discovery.
3.- I created the index using the UI of Kibana aiming at indexes "syslog-sophos.xg*" with just fields
source (object) > ip (type: IP)
destination (object) > ip (type: IP)
4.- I deleted the index b/c I know it won't work if field data types don't match between the index and the template.
5.- Genereted more logs (step 1)
6.- When I go to Discovery I can only see my old logs (older days). The data view is the same "syslog-*"