Closed alemairebe closed 9 months ago
Thanks for the feedback. We will investigate and fix it
Hi, what SIEM version do you use? In the error message, the cause is that apiVersion is defined as a date field. That field is defined as keyword from v2.1.1. If you are using an older version, please update. https://github.com/aws-samples/siem-on-amazon-opensearch-service/blob/v2.1.1/source/lambda/deploy_es/data.ini#L85
Hi, I use main branch , git commit d395e705f3b85e19fc38245b07424d628da40f5d ( after v2.10.1 )
Hi, I got it. Please let me know the result of this command in DevTool.
GET _index_template/log-aws-cloudtrail_aws
Do you see "component_template_log-aws"?
if yes, how about this command?
GET _component_template/component_template_log-aws
Then, can you find '"apiVersion": {"type": "keyword"}'?
Next,
GET log-aws-cloudtrail-2023-10
What values does apiVersion key have?
Hi, Sorry, I didn't knew I had to setup OpenSearch index templates before running the lambda. I added the index template and work as it should. Sorry to have wasted some of your time
Thanks for the feedback. I'm happy that the issue is solved. If you have any issue let me know again
Hello, Lambda fail to process Cloudtrail event from inspector :
the Cloudtrail event is the following :
Could there be a way to accept apiVersion to be prefixed by
v
? Thanks!