Just started to play around with SIEM. When opening the menu, we are constantly presented with this error. The only logs we are ingesting is our building security logs, and I have manually created logstash filters for this. All events are tied to fields founds in the ECS.
Hi @bevano, thanks for posting. It looks like one of your fields is mapped as text and it needs to be mapped as a keyword in order to aggregate in ES. Could you please post the mapping of your index and we can take a look at what field it might be?
Yeah this often happens if you haven't pushed your index templates and you can see us answering this here with some pointers on what to do:
I don't know if it's your winlogbeat, audtibeat, some custom one, etc... but usually if you can get your templates and ECS mapping pushed up and then do a reindex, data reset, you will be ok.
Depends on what you're doing. If you're writing your own downstream agent/beat/script that is going to parse logs and push it as ECS you can use existing tools from the ECS repo here:
and from their tooling guide:
If you want to start without using the tooling you can just push in a mapping you customize using the dev tooling of Kibana from the ECS generated template here:
If you're playing around with beats such as auditbeat, metricbeat, etc... you can do a setup and run one of the beats and then look at the mappings and ILM index lifecycle management (ILM) policies they have as good examples as well.
Those things will probably save you a lot of time. Have fun and let us know how it goes!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.