Hi All,
Just started to play around with SIEM. When opening the menu, we are constantly presented with this error. The only logs we are ingesting is our building security logs, and I have manually created logstash filters for this. All events are tied to fields founds in the ECS.
Is there a way we resolve these errors?
Hi @bevano, thanks for posting. It looks like one of your fields is mapped as text and it needs to be mapped as a keyword in order to aggregate in ES. Could you please post the mapping of your index and we can take a look at what field it might be?
Yeah this often happens if you haven't pushed your index templates and you can see us answering this here with some pointers on what to do:
I don't know if it's your winlogbeat, audtibeat, some custom one, etc... but usually if you can get your templates and ECS mapping pushed up and then do a reindex, data reset, you will be ok.
Thanks @stephmilovic and @Frank_Hassanabad for the reply.
And yes, i haven't pointed it to a template since I was just playing around. After re-reading this https://www.elastic.co/guide/en/ecs/current/index.html under hosts, i can see the type for each of the fields.
I assume if I follow those types in the guide i should be fine?
Depends on what you're doing. If you're writing your own downstream agent/beat/script that is going to parse logs and push it as ECS you can use existing tools from the ECS repo here:
and from their tooling guide:
If you want to start without using the tooling you can just push in a mapping you customize using the dev tooling of Kibana from the ECS generated template here:
If you're playing around with beats such as auditbeat, metricbeat, etc... you can do a setup and run one of the beats and then look at the mappings and ILM index lifecycle management (ILM) policies they have as good examples as well.
Those things will probably save you a lot of time. Have fun and let us know how it goes!
Perfect. Majority of it will be done using the existing beats/agent modules but there are some custom stuff that we need ingested.
Thank you very much for the info. Much appreciated
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
