Many Errors - illegal_argument_exception
172 views
Skip to first unread message
Marcelo Naves
May 8, 2024, 10:43:26 AM5/8/24
to Wazuh | Mailing List
Hello everyone, I would really like to have support from the group to help me identify and resolve the problem. Until April 29th, Wazuh was working normally, but on April 30th it started generating several errors in Dash.
Text fields are not optimized for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.mitre.technique].
I have already carried out some procedures to download the new filebeat file, and what I found strangest is the following... Until April 29th, Wazuh was applying the field model correctly, after this date the type fields started to be indexed as text generating all these problems.. In Elasticsearch, when I validate the model, the correct fields appear, but wazuh is indexing with the text fields.. Below are some prints that help with understanding.
Text fields are not optimized for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.mitre.technique].
They are giving these errors in several fields
I have already carried out some procedures to download the new filebeat file, and what I found strangest is the following... Until April 29th, Wazuh was applying the field model correctly, after this date the type fields started to be indexed as text generating all these problems.. In Elasticsearch, when I validate the model, the correct fields appear, but wazuh is indexing with the text fields.. Below are some prints that help with understanding.
Matías David Mercado Aragonés
May 8, 2024, 1:05:30 PM5/8/24
to Wazuh | Mailing List
Hi Marcelo,
Could you please share me some details about your Wazuh environment?
Which version of Wazuh you have? Did you upgrade your Wazuh, or make a significant change between April 29/30th?
Could you please attach to this mail your "wazuh-template.json" (on your Wazuh indexer: /etc/filebeat/wazuh-template.json)? Did you modify this file?
Regards,
Matías.
Could you please share me some details about your Wazuh environment?
Which version of Wazuh you have? Did you upgrade your Wazuh, or make a significant change between April 29/30th?
Could you please attach to this mail your "wazuh-template.json" (on your Wazuh indexer: /etc/filebeat/wazuh-template.json)? Did you modify this file?
Regards,
Matías.
Reply all
Reply to author
Forward
0 new messages