philhagen
commented
2 years ago hi - this is a known error that is fixed upstream. im anticipating a new public release in the coming weeks that will address this, as well as several other items and add new features.
however, I've just cherry-picked those fixes onto public/v20211006 so assuming you're running that version, you should be able to run sudo sof-elk_update.sh, then sof-elk_clear.py -i filesystem and re-load your data files. (edit: corrected flag to lowercase -i)
I'll keep this open until confirmed but I believe that should do the trick.
NassemKa
Hi Phil, I had run SOFELK_Parser module from Kape tool on both a live system and on mounted forensic image , so I can get a better view on sytem logs in ELK, I have dropped MFTECmd$MFT_Output,_EvtxECmd_Output,_LECmd_Output,_PECmd_Output files in /logstash/kape. The Eventlog Dashboard and LNK Dashboard are working great ,but in File System Dashboard I keep getting shards failed error caused by illegal_argument_exception in mapping script and reason is No field found for [source_geo.asn]. Is this an error? or File System Dashboard is not supposted to be used with this kind of data (Kape Output Data),also is there should data in syslog dashboard? thanks for your time and your effort, Best Regards
