Just started to play around with SIEM. When opening the menu, we are constantly presented with this error. The only logs we are ingesting is our building security logs, and I have manually created logstash filters for this. All events are tied to fields founds in the ECS.
Hi @bevano, thanks for posting. It looks like one of your fields is mapped as text and it needs to be mapped as a keyword in order to aggregate in ES. Could you please post the mapping of your index and we can take a look at what field it might be?
Depends on what you're doing. If you're writing your own downstream agent/beat/script that is going to parse logs and push it as ECS you can use existing tools from the ECS repo here:
and from their tooling guide:
If you want to start without using the tooling you can just push in a mapping you customize using the dev tooling of Kibana from the ECS generated template here:
If you're playing around with beats such as auditbeat, metricbeat, etc... you can do a setup and run one of the beats and then look at the mappings and ILM index lifecycle management (ILM) policies they have as good examples as well.
Those things will probably save you a lot of time. Have fun and let us know how it goes!