Wazuh 3.6.1 Visualization error

[Utkarsh Bhargava]

Hello Folks,

We are facing the visualization error in wazuh, it's asking for field data = true.

Please have a look at the attached screenshot and help me.

Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Fielddata is disabled on text fields by default. Set fielddata=true on [agent.name] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"securign-alerts-2018.10.25","node":"ugiW7wdUQymkK_OATYy5ng","reason":{"type":"illegal_argument_exception","reason":"Fielddata is disabled on text fields by default. Set fielddata=true on [agent.name] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."}}],"caused_by":{"type":"illegal_argument_exception","reason":"Fielddata is disabled on text fields by default. Set fielddata=true on [agent.name] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.","caused_by":{"type":"illegal_argument_exception","reason":"Fielddata is disabled on text fields by default. Set fielddata=true on [agent.name] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."}}},"status":400}

A new notification appears

Error in visualization

Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Fielddata is disabled on text fields by default. Set fielddata=true on [agent.name] in order to load fielddata in memory by uninverting the inverted index. Note that this can howeve

[jesus.g...@wazuh.com]

Hi Utkarsh,

My bet is about a missing template or a corrupted index. Your alert documents are not properly mapped in Elasticsearch, ending in the error you are facing because our app is

looking for different field types. 

Even if you have inserted the template properly, your index may be wrong if it was created before inserting the template. Why? Because Logstash was running before inserting the template,

then Elasticsearch started to receive events and created the index without the template. An already created index won't apply a template which was inserted after its creation.

Check if you have inserted the template:

$ curl <elastic_ip>:9200/_cat/templates/wazuh

Expected output:

wazuh [wazuh-alerts-3.x-*] 0

If it's missing, please do this:

$ curl https://raw.githubusercontent.com/wazuh/wazuh/3.6/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://<elastic_ip>:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-

Let's check the mapping for the field agent.name in any index you think might be broken:

$ curl <elastic_ip>:9200/<index_name>/_mapping/field/<field_name>?pretty

Example:

$ curl 172.16.1.4:9200/wazuh-alerts-3.x-2018.10.24/_mapping/field/agent.name?pretty
{
  "wazuh-alerts-3.x-2018.10.24" : {
    "mappings" : {
      "wazuh" : {
        "agent.name" : {
          "full_name" : "agent.name",
          "mapping" : {
            "name" : {
              "type" : "keyword"
            }
          }
        }
      }
    }
  }
}

Your output will be different due to the mapping issue.

Solution:

1. If it's a testing environment, just delete affected indices 

2. If you want to preserve the data, you need a reindex procedure, let us know if you need help with this.

Our installation guide:

• https://documentation.wazuh.com/current/installation-guide/installing-elastic-stack/index.html
  

Reindex documentation:

• https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html
  

What's the trick reindexing?

• Copy all the documents to a new index which applies the new mapping
• Restore the original index

I hope it helps.

Kind regards,

Jesús