Fetakungen
commented
4 years ago Solved by recreating index pattern after the logs had filled.
Closed Fetakungen closed 4 years ago
Fetakungen
commented
4 years ago Solved by recreating index pattern after the logs had filled.
Fetakungen
commented
4 years ago Edit: The firewall is solved but surricata still show:
Could not locate that index-pattern-field (id: suricata.eve.alert.signature.keyword)
Could not locate that index-pattern-field (id: suricata.eve.alert.signature.keyword)
I suppose this is due to the face that hasn't been logged when the pattern is created ?
My surricata log is set like this:
a3ilson
commented
4 years ago @Fetakungen - This is a known issue with pfSense. See #111 for more details - Unlikely you'll see a complete suricata message.
a3ilson
commented
4 years ago Issue already captured within issue #111
Describe the bug Hi, Dunno what i'm doing wrong or if the pf doesn't log several fields but i'm getting "Could not locate that index-pattern-field (id: *" , e.g. "Could not locate that index-pattern-field (id: network.name.keyword)"
In the firewall dashboard i see blocked actions and the map, and in the surricata dashboard all fields give "Could not locate that index-pattern-field (id: *")
To Reproduce Steps to reproduce the behavior: ELK: Config input file, Setup Docker containers using Docker compose. - Git cloned 2020-06-15 01-inputs.conf.txt Pfsense: Configure Syslog and surricata to EVE/SYSLOG.
Kibana: Setup index pattern pf-* Import Dashboards from https://github.com/3ilson/pfelk/tree/master/Dashboard
Screenshots If applicable, add screenshots to help explain your problem.
Firewall System (please complete the following information): PFSENS 2.4.5
Installation method (manual, ansible-playbook, docker, script): Docker Elasticsearch, Logstash, Kibana (please complete the following information):
dpkg -l [elasticsearch]|[logstash]|[kibana])ELK VERSION 7.7
Additional context Add any other context about the problem here.
**Attach the pfELK Error Log (error.pfelk), for Better Assistance***