No indices match pattern “filebeat-*”
1,729 views
Skip to first unread message
Suat Toksöz
Oct 15, 2019, 9:25:51 AM10/15/19
to Wazuh mailing list
Hi,
After running this script on wazuh-manager, we are getting an error. What we want to do is, insert filebeat dashboard to kibana. Our log structure is W Agent > W Manager > Filebeat > Logstash > Elasticsearc > Kibana
Script:
sudo filebeat setup -e -E output.logstash.enabled=false -E output.elasticsearch.hosts=['localhost:9200'] -E setup.kibana.host=localhost:5601
Error:
No indices match pattern “filebeat-*”
- How we can redo this change ?
- How we can see filebaet or logstash indices on kibana?
Best regards,
Suat Toksöz
Miguel Keane
Oct 15, 2019, 11:41:06 AM10/15/19
to Wazuh mailing list
Hello Suat,
First of all, what are you trying to use the dashboards for? Maybe there's a better approach for what you're trying to do.
Secondly, if you could send me the content of the following files: /etc/filebeat/filebeat.yml and those in /etc/logstash/conf.d/....
Secondly, if you could send me the content of the following files: /etc/filebeat/filebeat.yml and those in /etc/logstash/conf.d/....
And also it might be interesting to have a look into: /etc/elasticsearch/elasticsearch.yml and /etc/kibana/kibana.yml
In those files we have the configuration that is probably causing the error. What version of elasticsearch are you using?
In those files we have the configuration that is probably causing the error. What version of elasticsearch are you using?
If you could provide me with this information I will be able to help you much better. Also tell me if you want me to guide you a bit through the process.
Best Regards,
Miguel Keane
Suat Toksöz
Oct 16, 2019, 2:18:54 AM10/16/19
to Miguel Keane, Wazuh mailing list
Hi Miguel,
What we want is this, get the logs from PC (wazuh-agent) , then move that logs to wazuh-server > filebeat > logstash then show then on kibana.
We want to use sample dashboards to display data ( filebeat dashboard-auditbeat dashboard)
Thanks
Suat Toksöz
Wazuh 3.10
ELK 7.32.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a30f2485-b716-44b3-afca-4975ff4a985e%40googlegroups.com.
Best regards,
Suat Toksöz
Miguel Keane
Oct 16, 2019, 10:50:18 AM10/16/19
to Wazuh mailing list
Hello Suat,
However, in order to help you further and if you wish to keep Logstash, I am going to need to see the content of your configuration files.
And inside this folder:
We do not longer recommed using Logstash since Wazuh3.9. As Filebeats is now capable of connecting directly to Elasticsearch.
Also I recommend to follow the steps in our documentation (making sure you are looking into the 3.10 version), as they should work fine.
Also I recommend to follow the steps in our documentation (making sure you are looking into the 3.10 version), as they should work fine.
However, in order to help you further and if you wish to keep Logstash, I am going to need to see the content of your configuration files.
The Filebeat conf file is:
/etc/filebeat/filebeat.yml
/etc/logstash/conf.d/
There you can find different files with Logstash configuration. If you could do me the favour of forwarding me their content I will be able to solve your issue.
Regards,
Miguel Keane Cañizares
Miguel Keane Cañizares
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a30f2485-b716-44b3-afca-4975ff4a985e%40googlegroups.com.
Suat Toksöz
Oct 17, 2019, 2:19:50 AM10/17/19
to Miguel Keane, Wazuh mailing list
Hi Miguel,
We have removed the logstash and its configuration from wazuh server. Now we move the log from filebeat to elasticsearch directly, but still getting an error on filebeat indices.
root@wazuhserver:~# cat /etc/filebeat/filebeat.yml
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch.hosts: ['http://localhost:9200']
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch.hosts: ['http://localhost:9200']
No indices match pattern "filebeat-*"
Error: No indices match pattern "filebeat-*"
at http://xx.x.xxx.x.x.x.x:5601/bundles/commons.bundle.js:3:3097063
root@wazuhserver:~# cat /var/log/filebeat/filebeat
2019-10-17T09:14:24.313+0300 INFO instance/beat.go:607 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2019-10-17T09:14:24.314+0300 INFO instance/beat.go:615 Beat ID: bb45d883-5186-45a0-87c2-b5c753d43d30
2019-10-17T09:14:24.314+0300 INFO [beat] instance/beat.go:903 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "bb45d883-5186-45a0-87c2-b5c753d43d30"}}}
2019-10-17T09:14:24.314+0300 INFO [beat] instance/beat.go:912 Build info {"system_info": {"build": {"commit": "5b046c5a97fe1e312f22d40a1f05365621aad621", "libbeat": "7.3.2", "time": "2019-09-06T13:49:32.000Z", "version": "7.3.2"}}}
2019-10-17T09:14:24.314+0300 INFO [beat] instance/beat.go:915 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.12.4"}}}
2019-10-17T09:14:24.314+0300 INFO [beat] instance/beat.go:919 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-17T08:59:15+03:00","containerized":false,"name":"xxxxxxxxxxxxxxx","ip":["127.0.0.1/8","::1/128","10.212.0.153/24","fe80::250:56ff:fe96:9236/64"],"kernel_version":"4.9.0-11-amd64","mac":["00:50:56:96:92:36"],"os":{"family":"debian","platform":"debian","name":"Debian GNU/Linux","version":"9 (stretch)","major":9,"minor":0,"patch":0,"codename":"stretch"},"timezone":"+03","timezone_offset_sec":10800,"id":"7d7e83c7dd75426d921fe45df035dedd"}}}
2019-10-17T09:14:24.315+0300 INFO [beat] instance/beat.go:948 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/root", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 2448, "ppid": 1111, "seccomp": {"mode":"disabled"}, "start_time": "2019-10-17T09:14:23.370+0300"}}}
2019-10-17T09:14:24.315+0300 INFO instance/beat.go:292 Setup Beat: filebeat; Version: 7.3.2
2019-10-17T09:14:24.315+0300 INFO elasticsearch/client.go:170 Elasticsearch url: http://localhost:9200
2019-10-17T09:14:24.315+0300 INFO [publisher] pipeline/module.go:97 Beat name: xxxxxxxxxxxxxxxx
2019-10-17T09:14:24.316+0300 INFO beater/filebeat.go:92 Enabled modules/filesets: wazuh (alerts), ()
2019-10-17T09:14:24.317+0300 INFO elasticsearch/client.go:170 Elasticsearch url: http://localhost:9200
2019-10-17T09:14:24.324+0300 INFO elasticsearch/client.go:743 Attempting to connect to Elasticsearch version 7.3.2
2019-10-17T09:14:24.354+0300 INFO template/load.go:169 Existing template will be overwritten, as overwrite is enabled.
2019-10-17T09:14:24.453+0300 INFO template/load.go:108 Try loading template filebeat-7.3.2 to Elasticsearch
2019-10-17T09:14:24.524+0300 INFO template/load.go:100 template with name 'filebeat-7.3.2' loaded.
2019-10-17T09:14:24.525+0300 INFO [index-management] idxmgmt/std.go:289 Loaded index template.
2019-10-17T09:14:24.313+0300 INFO instance/beat.go:607 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2019-10-17T09:14:24.314+0300 INFO instance/beat.go:615 Beat ID: bb45d883-5186-45a0-87c2-b5c753d43d30
2019-10-17T09:14:24.314+0300 INFO [beat] instance/beat.go:903 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "bb45d883-5186-45a0-87c2-b5c753d43d30"}}}
2019-10-17T09:14:24.314+0300 INFO [beat] instance/beat.go:912 Build info {"system_info": {"build": {"commit": "5b046c5a97fe1e312f22d40a1f05365621aad621", "libbeat": "7.3.2", "time": "2019-09-06T13:49:32.000Z", "version": "7.3.2"}}}
2019-10-17T09:14:24.314+0300 INFO [beat] instance/beat.go:915 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.12.4"}}}
2019-10-17T09:14:24.314+0300 INFO [beat] instance/beat.go:919 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-17T08:59:15+03:00","containerized":false,"name":"xxxxxxxxxxxxxxx","ip":["127.0.0.1/8","::1/128","10.212.0.153/24","fe80::250:56ff:fe96:9236/64"],"kernel_version":"4.9.0-11-amd64","mac":["00:50:56:96:92:36"],"os":{"family":"debian","platform":"debian","name":"Debian GNU/Linux","version":"9 (stretch)","major":9,"minor":0,"patch":0,"codename":"stretch"},"timezone":"+03","timezone_offset_sec":10800,"id":"7d7e83c7dd75426d921fe45df035dedd"}}}
2019-10-17T09:14:24.315+0300 INFO [beat] instance/beat.go:948 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/root", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 2448, "ppid": 1111, "seccomp": {"mode":"disabled"}, "start_time": "2019-10-17T09:14:23.370+0300"}}}
2019-10-17T09:14:24.315+0300 INFO instance/beat.go:292 Setup Beat: filebeat; Version: 7.3.2
2019-10-17T09:14:24.315+0300 INFO elasticsearch/client.go:170 Elasticsearch url: http://localhost:9200
2019-10-17T09:14:24.315+0300 INFO [publisher] pipeline/module.go:97 Beat name: xxxxxxxxxxxxxxxx
2019-10-17T09:14:24.316+0300 INFO beater/filebeat.go:92 Enabled modules/filesets: wazuh (alerts), ()
2019-10-17T09:14:24.317+0300 INFO elasticsearch/client.go:170 Elasticsearch url: http://localhost:9200
2019-10-17T09:14:24.324+0300 INFO elasticsearch/client.go:743 Attempting to connect to Elasticsearch version 7.3.2
2019-10-17T09:14:24.354+0300 INFO template/load.go:169 Existing template will be overwritten, as overwrite is enabled.
2019-10-17T09:14:24.453+0300 INFO template/load.go:108 Try loading template filebeat-7.3.2 to Elasticsearch
2019-10-17T09:14:24.524+0300 INFO template/load.go:100 template with name 'filebeat-7.3.2' loaded.
2019-10-17T09:14:24.525+0300 INFO [index-management] idxmgmt/std.go:289 Loaded index template.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a30f2485-b716-44b3-afca-4975ff4a985e%40googlegroups.com.
--Best regards,Suat Toksöz
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/af32cede-ea1a-4eb3-83bd-24eb660eb0e2%40googlegroups.com.
Miguel Keane
Oct 17, 2019, 10:19:01 AM10/17/19
to Wazuh mailing list
Hello Suat,
Just to make sure, do you have elasticsearch and filebeats in the same machine? Because if not, localhost will not work, you would need to use the ip address of the elasticsearch machine.
Ok, in order to test the connection, could you try this on your terminal?
Just to make sure, do you have elasticsearch and filebeats in the same machine? Because if not, localhost will not work, you would need to use the ip address of the elasticsearch machine.
Ok, in order to test the connection, could you try this on your terminal?
filebeat test output
Some other interesting places to look into, you sent me the filebeat log, but it would also be worthwhile to check elasticsearch's log. You can find it in:
Also, if you could send me the results of the following commands:
I have found these links that might be of interest to your problem:
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-template.html
And here there is a demo of a dashboard of filebeats in Kibana:
https://demo.elastic.co/app/monitoring#/beats
I hope some of this was of some help. I will wait for your response to further help you.
/var/log/elasticsearch/<my-cluster-name>.log
curl http://localhost:9200/_cat/indices
curl http://localhost:9200/_cat/templates
I have found these links that might be of interest to your problem:
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-template.html
And here there is a demo of a dashboard of filebeats in Kibana:
https://demo.elastic.co/app/monitoring#/beats
I hope some of this was of some help. I will wait for your response to further help you.
Regards,
Miguel Keane
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a30f2485-b716-44b3-afca-4975ff4a985e%40googlegroups.com.
--Best regards,Suat Toksöz
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/af32cede-ea1a-4eb3-83bd-24eb660eb0e2%40googlegroups.com.
Suat Toksöz
Oct 17, 2019, 2:12:16 PM10/17/19
to Miguel Keane, Wazuh mailing list
Hi Miguel,
Yes , we have elasticsearch and filebeats in the same machine. I am sharing the log and output result that you have requested.
root@wazuhserverxxxx:~# filebeat test output
elasticsearch: http://localhost:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: ::1, 127.0.0.1
dial up... OK
TLS... WARN secure connection disabled
talk to server... OK
version: 7.3.2
elasticsearch: http://localhost:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: ::1, 127.0.0.1
dial up... OK
TLS... WARN secure connection disabled
talk to server... OK
version: 7.3.2
var/log/elasticsearch/<my-cluster-name>.log at java.lang.Thread.run(Thread.java:835) [?:?]
[2019-10-17T15:01:11,672][DEBUG][o.e.a.s.TransportSearchAction] [wazuh-server] [auditbeat-7.4.0-2019.10.17][0], node[NkS_CcqmQbighUX_OrjIFw], [P], s[STARTED], a[id=JTHEi8YISVqs7j1AlxUGAQ]: Failed to execute [SearchRequest{searchType=QUERY_THEN_FETCH, indices=[auditbeat-*, filebeat-*, packetbeat-*, winlogbeat-*], indicesOptions=IndicesOptions[ignore_unavailable=true, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=true, ignore_aliases=false, ignore_throttled=true], types=[], routing='null', preference='null', requestCache=null, scroll=null, maxConcurrentShardRequests=0, batchedReduceSize=512, preFilterShardSize=128, allowPartialSearchResults=true, localClusterAlias=null, getOrCreateAbsoluteStartMillis=-1, ccsMinimizeRoundtrips=true, source={"size":0,"query":{"bool":{"filter":[{"range":{"@timestamp":{"from":1571225273197,"to":1571311673197,"include_lower":true,"include_upper":true,"boost":1.0}}}],"should":[{"bool":{"must":[{"term":{"agent.type":{"value":"auditbeat","boost":1.0}}},{"term":{"event.module":{"value":"auditd","boost":1.0}}},{"term":{"event.action":{"value":"executed","boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}},{"bool":{"must":[{"term":{"agent.type":{"value":"auditbeat","boost":1.0}}},{"term":{"event.module":{"value":"system","boost":1.0}}},{"term":{"event.dataset":{"value":"process","boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}},{"bool":{"must":[{"term":{"agent.type":{"value":"winlogbeat","boost":1.0}}},{"term":{"event.code":{"value":"4688","boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}},{"bool":{"must":[{"term":{"winlog.event_id":{"value":1,"boost":1.0}}},{"term":{"winlog.channel":{"value":"Microsoft-Windows-Sysmon/Operational","boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}}],"adjust_pure_negative":true,"minimum_should_match":"1","boost":1.0}},"track_total_hits":-1,"aggregations":{"process_count":{"cardinality":{"field":"process.name"}},"group_by_process":{"terms":{"field":"process.name","size":11,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"host_count":"asc"},{"_count":"asc"},{"_key":"asc"}]},"aggregations":{"process":{"top_hits":{"from":0,"size":1,"version":false,"seq_no_primary_term":false,"explain":false,"_source":{"includes":["process.args","process.name","user.id","user.name"],"excludes":[]},"sort":[{"@timestamp":{"order":"desc"}}]}},"host_count":{"cardinality":{"field":"host.name"}},"hosts":{"terms":{"field":"host.name","size":10,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"_count":"desc"},{"_key":"asc"}]},"aggregations":{"host":{"top_hits":{"from":0,"size":1,"version":false,"seq_no_primary_term":false,"explain":false,"_source":{"includes":[],"excludes":[]}}}}}}}}}}] lastShard [true]
org.elasticsearch.transport.RemoteTransportException: [wazuh-server][127.0.0.1:9300][indices:data/read/search[phase/query]]
Caused by: java.lang.IllegalArgumentException: Fielddata is disabled on text fields by default. Set fielddata=true on [process.name] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.
at org.elasticsearch.index.mapper.TextFieldMapper$TextFieldType.fielddataBuilder(TextFieldMapper.java:759) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.index.fielddata.IndexFieldDataService.getForField(IndexFieldDataService.java:116) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.index.query.QueryShardContext.getForField(QueryShardContext.java:191) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.aggregations.support.ValuesSourceConfig.resolve(ValuesSourceConfig.java:95) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.aggregations.support.ValuesSourceAggregationBuilder.resolveConfig(ValuesSourceAggregationBuilder.java:321) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.aggregations.support.ValuesSourceAggregationBuilder.doBuild(ValuesSourceAggregationBuilder.java:314) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.aggregations.support.ValuesSourceAggregationBuilder$LeafOnly.doBuild(ValuesSourceAggregationBuilder.java:42) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.aggregations.AbstractAggregationBuilder.build(AbstractAggregationBuilder.java:139) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.aggregations.AggregatorFactories$Builder.build(AggregatorFactories.java:332) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.SearchService.parseSource(SearchService.java:789) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.SearchService.createContext(SearchService.java:591) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:550) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:353) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.SearchService.lambda$executeQueryPhase$1(SearchService.java:340) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.action.ActionListener.lambda$map$2(ActionListener.java:145) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:62) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.SearchService$2.doRun(SearchService.java:1052) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.common.util.concurrent.TimedRunnable.doRun(TimedRunnable.java:44) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:758) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.3.2.jar:7.3.2]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:835) [?:?]
[2019-10-17T15:15:00,775][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T15:30:01,246][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T15:45:01,671][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T16:00:01,219][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T16:15:01,627][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T16:30:01,201][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T16:45:01,565][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T17:00:01,375][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T17:15:01,657][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T17:30:01,080][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T17:45:01,634][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updat
[2019-10-17T15:01:11,672][DEBUG][o.e.a.s.TransportSearchAction] [wazuh-server] [auditbeat-7.4.0-2019.10.17][0], node[NkS_CcqmQbighUX_OrjIFw], [P], s[STARTED], a[id=JTHEi8YISVqs7j1AlxUGAQ]: Failed to execute [SearchRequest{searchType=QUERY_THEN_FETCH, indices=[auditbeat-*, filebeat-*, packetbeat-*, winlogbeat-*], indicesOptions=IndicesOptions[ignore_unavailable=true, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=true, ignore_aliases=false, ignore_throttled=true], types=[], routing='null', preference='null', requestCache=null, scroll=null, maxConcurrentShardRequests=0, batchedReduceSize=512, preFilterShardSize=128, allowPartialSearchResults=true, localClusterAlias=null, getOrCreateAbsoluteStartMillis=-1, ccsMinimizeRoundtrips=true, source={"size":0,"query":{"bool":{"filter":[{"range":{"@timestamp":{"from":1571225273197,"to":1571311673197,"include_lower":true,"include_upper":true,"boost":1.0}}}],"should":[{"bool":{"must":[{"term":{"agent.type":{"value":"auditbeat","boost":1.0}}},{"term":{"event.module":{"value":"auditd","boost":1.0}}},{"term":{"event.action":{"value":"executed","boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}},{"bool":{"must":[{"term":{"agent.type":{"value":"auditbeat","boost":1.0}}},{"term":{"event.module":{"value":"system","boost":1.0}}},{"term":{"event.dataset":{"value":"process","boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}},{"bool":{"must":[{"term":{"agent.type":{"value":"winlogbeat","boost":1.0}}},{"term":{"event.code":{"value":"4688","boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}},{"bool":{"must":[{"term":{"winlog.event_id":{"value":1,"boost":1.0}}},{"term":{"winlog.channel":{"value":"Microsoft-Windows-Sysmon/Operational","boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}}],"adjust_pure_negative":true,"minimum_should_match":"1","boost":1.0}},"track_total_hits":-1,"aggregations":{"process_count":{"cardinality":{"field":"process.name"}},"group_by_process":{"terms":{"field":"process.name","size":11,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"host_count":"asc"},{"_count":"asc"},{"_key":"asc"}]},"aggregations":{"process":{"top_hits":{"from":0,"size":1,"version":false,"seq_no_primary_term":false,"explain":false,"_source":{"includes":["process.args","process.name","user.id","user.name"],"excludes":[]},"sort":[{"@timestamp":{"order":"desc"}}]}},"host_count":{"cardinality":{"field":"host.name"}},"hosts":{"terms":{"field":"host.name","size":10,"min_doc_count":1,"shard_min_doc_count":0,"show_term_doc_count_error":false,"order":[{"_count":"desc"},{"_key":"asc"}]},"aggregations":{"host":{"top_hits":{"from":0,"size":1,"version":false,"seq_no_primary_term":false,"explain":false,"_source":{"includes":[],"excludes":[]}}}}}}}}}}] lastShard [true]
org.elasticsearch.transport.RemoteTransportException: [wazuh-server][127.0.0.1:9300][indices:data/read/search[phase/query]]
Caused by: java.lang.IllegalArgumentException: Fielddata is disabled on text fields by default. Set fielddata=true on [process.name] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.
at org.elasticsearch.index.mapper.TextFieldMapper$TextFieldType.fielddataBuilder(TextFieldMapper.java:759) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.index.fielddata.IndexFieldDataService.getForField(IndexFieldDataService.java:116) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.index.query.QueryShardContext.getForField(QueryShardContext.java:191) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.aggregations.support.ValuesSourceConfig.resolve(ValuesSourceConfig.java:95) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.aggregations.support.ValuesSourceAggregationBuilder.resolveConfig(ValuesSourceAggregationBuilder.java:321) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.aggregations.support.ValuesSourceAggregationBuilder.doBuild(ValuesSourceAggregationBuilder.java:314) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.aggregations.support.ValuesSourceAggregationBuilder$LeafOnly.doBuild(ValuesSourceAggregationBuilder.java:42) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.aggregations.AbstractAggregationBuilder.build(AbstractAggregationBuilder.java:139) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.aggregations.AggregatorFactories$Builder.build(AggregatorFactories.java:332) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.SearchService.parseSource(SearchService.java:789) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.SearchService.createContext(SearchService.java:591) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:550) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:353) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.SearchService.lambda$executeQueryPhase$1(SearchService.java:340) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.action.ActionListener.lambda$map$2(ActionListener.java:145) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:62) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.search.SearchService$2.doRun(SearchService.java:1052) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.common.util.concurrent.TimedRunnable.doRun(TimedRunnable.java:44) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:758) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.3.2.jar:7.3.2]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:835) [?:?]
[2019-10-17T15:15:00,775][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T15:30:01,246][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T15:45:01,671][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T16:00:01,219][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T16:15:01,627][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T16:30:01,201][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T16:45:01,565][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T17:00:01,375][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T17:15:01,657][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T17:30:01,080][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updating number_of_replicas to [0] for indices [wazuh-monitoring-3.x-2019.10.17]
[2019-10-17T17:45:01,634][INFO ][o.e.c.m.MetaDataUpdateSettingsService] [wazuh-server] updat
curl http://localhost:9200/_cat/indices
yellow open auditbeat-7.4.0-2019.10.15 koaGRTutSKWDYJsyeHGa4Q 1 1 7072 0 4.7mb 4.7mb
green open .kibana_task_manager DxMgXXmvQYWogxVy7JgYfA 1 0 2 0 13.7kb 13.7kb
green open wazuh-alerts-3.x-2019.10.16 zXrtVbokSs2Bn78yKa1ZsQ 3 0 49 0 375.1kb 375.1kb
yellow open auditbeat-7.4.0-2019.10.16 yhLtFLasS022I5ZsZSyvsQ 1 1 21072 0 13.6mb 13.6mb
green open wazuh-monitoring-3.x-2019.10.17 En8RtfDUSvGmt4FMglVvAA 2 0 74 0 214.9kb 214.9kb
yellow open auditbeat-7.4.0-2019.10.17 0cfBts8lQa-qK5f_6eGGEA 1 1 6145 0 4.3mb 4.3mb
green open wazuh-alerts-3.x-2019.10.17 XRR0HqF_QJuzNLKksl7WGw 3 0 292 0 811kb 811kb
yellow open .wazuh JB9hHgaKSgqEoAXN4ysgVQ 1 1 1 0 12.5kb 12.5kb
green open wazuh-monitoring-3.x-2019.10.16 x1rwtDnKTC-KiEPXpOrNoA 2 0 95 0 266.7kb 266.7kb
green open .kibana_2 dlB2d4viTcKLy6iMPQ8kwg 1 0 1054 65 645.1kb 645.1kb
green open wazuh-alerts-3.x-2019.10.15 qBruOgymQn6siv89QBCGvQ 3 0 388 0 804.3kb 804.3kb
green open .kibana_1 jgq3aT6NQZiXCLFzTr_1vg 1 0 4 3 59.7kb 59.7kb
green open wazuh-monitoring-3.x-2019.10.15 jF4vFw64Rby8KKzIOPXonQ 2 0 62 0 156.5kb 156.5kb
yellow open auditbeat-7.4.0-2019.10.17-000001 Q1psw2jMRriBWThEE-YBSg 1 1 0 0 283b 283b
yellow open auditbeat-7.4.0-2019.10.15 koaGRTutSKWDYJsyeHGa4Q 1 1 7072 0 4.7mb 4.7mb
green open .kibana_task_manager DxMgXXmvQYWogxVy7JgYfA 1 0 2 0 13.7kb 13.7kb
green open wazuh-alerts-3.x-2019.10.16 zXrtVbokSs2Bn78yKa1ZsQ 3 0 49 0 375.1kb 375.1kb
yellow open auditbeat-7.4.0-2019.10.16 yhLtFLasS022I5ZsZSyvsQ 1 1 21072 0 13.6mb 13.6mb
green open wazuh-monitoring-3.x-2019.10.17 En8RtfDUSvGmt4FMglVvAA 2 0 74 0 214.9kb 214.9kb
yellow open auditbeat-7.4.0-2019.10.17 0cfBts8lQa-qK5f_6eGGEA 1 1 6145 0 4.3mb 4.3mb
green open wazuh-alerts-3.x-2019.10.17 XRR0HqF_QJuzNLKksl7WGw 3 0 292 0 811kb 811kb
yellow open .wazuh JB9hHgaKSgqEoAXN4ysgVQ 1 1 1 0 12.5kb 12.5kb
green open wazuh-monitoring-3.x-2019.10.16 x1rwtDnKTC-KiEPXpOrNoA 2 0 95 0 266.7kb 266.7kb
green open .kibana_2 dlB2d4viTcKLy6iMPQ8kwg 1 0 1054 65 645.1kb 645.1kb
green open wazuh-alerts-3.x-2019.10.15 qBruOgymQn6siv89QBCGvQ 3 0 388 0 804.3kb 804.3kb
green open .kibana_1 jgq3aT6NQZiXCLFzTr_1vg 1 0 4 3 59.7kb 59.7kb
green open wazuh-monitoring-3.x-2019.10.15 jF4vFw64Rby8KKzIOPXonQ 2 0 62 0 156.5kb 156.5kb
yellow open auditbeat-7.4.0-2019.10.17-000001 Q1psw2jMRriBWThEE-YBSg 1 1 0 0 283b 283b
curl http://localhost:9200/_cat/templates
.monitoring-alerts-7 [.monitoring-alerts-7] 0 7000199
.ml-state [.ml-state*] 0 7030299
wazuh-agent [wazuh-monitoring-3.x-*] 0
logstash [logstash-*] 0 60001
auditbeat-7.4.0 [auditbeat-7.4.0-*] 1
.monitoring-beats [.monitoring-beats-7-*] 0 7000199
.ml-meta [.ml-meta] 0 7030299
.watch-history-10 [.watcher-history-10*] 2147483647
.management-beats [.management-beats] 0 70000
.triggered_watches [.triggered_watches*] 2147483647
.logstash-management [.logstash] 0
.watches [.watches*] 2147483647
.monitoring-logstash [.monitoring-logstash-7-*] 0 7000199
filebeat-7.3.2 [filebeat-7.3.2-*] 1
wazuh [wazuh-alerts-3.x-*, wazuh-archives-3.x-*] 0 1
.monitoring-es [.monitoring-es-7-*] 0 7000199
.kibana_task_manager [.kibana_task_manager] 0 7030299
.data-frame-notifications-1 [.data-frame-notifications-*] 0 7030299
.ml-notifications [.ml-notifications] 0 7030299
.monitoring-kibana [.monitoring-kibana-7-*] 0 7000199
.ml-anomalies- [.ml-anomalies-*] 0 7030299
.data-frame-internal-1 [.data-frame-internal-1] 0 7030299
.ml-config [.ml-config] 0 7030299
.monitoring-alerts-7 [.monitoring-alerts-7] 0 7000199
.ml-state [.ml-state*] 0 7030299
wazuh-agent [wazuh-monitoring-3.x-*] 0
logstash [logstash-*] 0 60001
auditbeat-7.4.0 [auditbeat-7.4.0-*] 1
.monitoring-beats [.monitoring-beats-7-*] 0 7000199
.ml-meta [.ml-meta] 0 7030299
.watch-history-10 [.watcher-history-10*] 2147483647
.management-beats [.management-beats] 0 70000
.triggered_watches [.triggered_watches*] 2147483647
.logstash-management [.logstash] 0
.watches [.watches*] 2147483647
.monitoring-logstash [.monitoring-logstash-7-*] 0 7000199
filebeat-7.3.2 [filebeat-7.3.2-*] 1
wazuh [wazuh-alerts-3.x-*, wazuh-archives-3.x-*] 0 1
.monitoring-es [.monitoring-es-7-*] 0 7000199
.kibana_task_manager [.kibana_task_manager] 0 7030299
.data-frame-notifications-1 [.data-frame-notifications-*] 0 7030299
.ml-notifications [.ml-notifications] 0 7030299
.monitoring-kibana [.monitoring-kibana-7-*] 0 7000199
.ml-anomalies- [.ml-anomalies-*] 0 7030299
.data-frame-internal-1 [.data-frame-internal-1] 0 7030299
.ml-config [.ml-config] 0 7030299
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a30f2485-b716-44b3-afca-4975ff4a985e%40googlegroups.com.
--Best regards,Suat Toksöz
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/af32cede-ea1a-4eb3-83bd-24eb660eb0e2%40googlegroups.com.
--Best regards,Suat Toksöz
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9dbeea7a-37e5-41dc-a912-2a72359450d1%40googlegroups.com.
Best regards,
Suat Toksöz
Wazuh 3.10.2
Elastic Stack 7.3.2
Miguel Keane
Oct 17, 2019, 3:06:33 PM10/17/19
to Wazuh mailing list
Hello Suat,
Try executing the following:
With that you should be able to load the Filebeat template, which you are missing, as it does not show up in: curl http://localhost:9200/_cat/indices
filebeat setup --index-management -E setup.template.json.enabled=false
With that you should be able to load the Filebeat template, which you are missing, as it does not show up in: curl http://localhost:9200/_cat/indices
Once you have the template you should be able to work on your dashboard.
I sincerely hope this solution works for you, but feel free to ask any more questions.
Best regards,
I sincerely hope this solution works for you, but feel free to ask any more questions.
Best regards,
Miguel Keane Cañizares
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a30f2485-b716-44b3-afca-4975ff4a985e%40googlegroups.com.
--Best regards,Suat Toksöz
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/af32cede-ea1a-4eb3-83bd-24eb660eb0e2%40googlegroups.com.
--Best regards,Suat Toksöz
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9dbeea7a-37e5-41dc-a912-2a72359450d1%40googlegroups.com.
Suat Toksöz
Oct 18, 2019, 1:53:25 AM10/18/19
to Miguel Keane, Wazuh mailing list
Hi Miguel,
I am still getting an error message on the index set up "ILM policy and write alias loading not enabled. "
root@asdasdasd:~# filebeat setup --index-management -E setup.template.json.enabled=false
ILM policy and write alias loading not enabled.
Index setup finished.
ILM policy and write alias loading not enabled.
Index setup finished.
root@asdasdasd:~# curl http://localhost:9200/_cat/indices
green open wazuh-alerts-3.x-2019.10.18 DwPYplQcTVOXPRpGgAAvVw 3 0 8 0 118.2kb 118.2kb
green open wazuh-alerts-3.x-2019.10.18 DwPYplQcTVOXPRpGgAAvVw 3 0 8 0 118.2kb 118.2kb
yellow open auditbeat-7.4.0-2019.10.15 koaGRTutSKWDYJsyeHGa4Q 1 1 7072 0 4.7mb 4.7mb
green open .kibana_task_manager DxMgXXmvQYWogxVy7JgYfA 1 0 2 0 31.4kb 31.4kb
green open wazuh-monitoring-3.x-2019.10.18 IN25aer5Rh2WlhImVkCggg 2 0 48 0 188.8kb 188.8kb
green open wazuh-monitoring-3.x-2019.10.18 IN25aer5Rh2WlhImVkCggg 2 0 48 0 188.8kb 188.8kb
green open wazuh-alerts-3.x-2019.10.16 zXrtVbokSs2Bn78yKa1ZsQ 3 0 49 0 375.1kb 375.1kb
yellow open auditbeat-7.4.0-2019.10.16 yhLtFLasS022I5ZsZSyvsQ 1 1 21072 0 13.6mb 13.6mb
green open wazuh-monitoring-3.x-2019.10.17 En8RtfDUSvGmt4FMglVvAA 2 0 146 0 235kb 235kb
yellow open auditbeat-7.4.0-2019.10.17 0cfBts8lQa-qK5f_6eGGEA 1 1 6145 0 4.3mb 4.3mb
green open wazuh-alerts-3.x-2019.10.17 XRR0HqF_QJuzNLKksl7WGw 3 0 300 0 901kb 901kb
yellow open .wazuh JB9hHgaKSgqEoAXN4ysgVQ 1 1 1 0 12.5kb 12.5kb
green open wazuh-monitoring-3.x-2019.10.16 x1rwtDnKTC-KiEPXpOrNoA 2 0 95 0 266.7kb 266.7kb
green open .kibana_2 dlB2d4viTcKLy6iMPQ8kwg 1 0 1054 66 650.6kb 650.6kb
green open wazuh-alerts-3.x-2019.10.15 qBruOgymQn6siv89QBCGvQ 3 0 388 0 804.3kb 804.3kb
green open .kibana_1 jgq3aT6NQZiXCLFzTr_1vg 1 0 4 3 59.7kb 59.7kb
green open wazuh-monitoring-3.x-2019.10.15 jF4vFw64Rby8KKzIOPXonQ 2 0 62 0 156.5kb 156.5kb
yellow open auditbeat-7.4.0-2019.10.17-000001 Q1psw2jMRriBWThEE-YBSg 1 1 0 0 283b 283b
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a30f2485-b716-44b3-afca-4975ff4a985e%40googlegroups.com.
--Best regards,Suat Toksöz
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/af32cede-ea1a-4eb3-83bd-24eb660eb0e2%40googlegroups.com.
--Best regards,Suat Toksöz
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9dbeea7a-37e5-41dc-a912-2a72359450d1%40googlegroups.com.
--Best regards,Suat ToksözWazuh 3.10.2Elastic Stack 7.3.2
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d6baa1dd-f918-4042-86c1-3943f2586b55%40googlegroups.com.
Miguel Keane
Oct 18, 2019, 8:54:18 AM10/18/19
to Wazuh mailing list
Hello Suat,
Looking into your configuration, you need to enable ILM policy.
Looking into your configuration, you need to enable ILM policy.
root@wazuhserver:~# cat /etc/filebeat/filebeat.yml
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch.hosts: ['http://localhost:9200']You have ILM disabled, if you wish to use them you have to change it to true. But it shouldn't be an error, just a Warning so that you know you're not setting them up.
Hope you finally get it to work, do not hesitate to ask more questions if needed.
Hope you finally get it to work, do not hesitate to ask more questions if needed.
Best regards,
Miguel Keane
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a30f2485-b716-44b3-afca-4975ff4a985e%40googlegroups.com.
--Best regards,Suat Toksöz
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/af32cede-ea1a-4eb3-83bd-24eb660eb0e2%40googlegroups.com.
--Best regards,Suat Toksöz
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9dbeea7a-37e5-41dc-a912-2a72359450d1%40googlegroups.com.
--Best regards,Suat ToksözWazuh 3.10.2Elastic Stack 7.3.2
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d6baa1dd-f918-4042-86c1-3943f2586b55%40googlegroups.com.
Suat Toksöz
Oct 18, 2019, 10:10:45 AM10/18/19
to Miguel Keane, Wazuh mailing list
Hi Miguel,
After changing the elasticsearch.yml, it is working now. Thanks
setup.ilm.enabled: true
Regards
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a30f2485-b716-44b3-afca-4975ff4a985e%40googlegroups.com.
--Best regards,Suat Toksöz
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/af32cede-ea1a-4eb3-83bd-24eb660eb0e2%40googlegroups.com.
--Best regards,Suat Toksöz
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9dbeea7a-37e5-41dc-a912-2a72359450d1%40googlegroups.com.
--Best regards,Suat ToksözWazuh 3.10.2Elastic Stack 7.3.2
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d6baa1dd-f918-4042-86c1-3943f2586b55%40googlegroups.com.
--Best regards,Suat ToksözWazuh 3.10.2Elastic Stack 7.3.2
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ee11342c-3a1b-49ce-aeb6-77525ff2fdd6%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages