-
Notifications
You must be signed in to change notification settings - Fork 8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to configure index patterns for SIEM UI #40055
Comments
Pinging @elastic/secops |
Hi @canterberry - the index patterns used by the SIEM app are configurable through the setting So in your case, you could change them by prepending We put this in the documentation, but I agree it's not easy to find. One more thing: When using Logstash to send data intended for the SIEM app, it's important to first import the respective Beats index template (e.g. by running |
Thanks, @cwurm. I didn't know there even was a dedicated SIEM guide -- I was looking at Kibana's SIEM UI reference. Upon reinspection, this does indeed appear to be covered there as well. I suppose my feature request, then, pivots to surfacing this in the UI like the Infrastructure and Logs apps do (not necessarily in the same way, just indicating some prior art in this area to help clarify the intent of the request). |
☝️ Also, thanks for the heads-up on running |
This is rather unfortunate, and we're back to square one in a slightly different way: I have the Instead, I get a big ol' nasty column of errors when I view the SIEM UI: Happy to create a separate issue for this. Again, the SIEM UI looks like it could be very useful. I'm excited to see it mature into a solid part of Kibana and useful with minimal to no friction. |
Ah, I think I know what's happening: Because you're using a different index template, To make it do the right thing, the settings inside
You can verify template loading succeeded by checking |
Thanks, @cwurm. Getting
|
Yeah, if you only want the index template exporting it to a file with |
Describe the feature:
The Logs UI settings in Kibana provides for the ability to set the index patterns for querying log and metrics data, but the SIEM UI does not provide for the ability to configure this. As a result, the SIEM UI cannot find my data.
I would like to be able to configure (via settings or via the SIEM UI) index patterns to help the SIEM UI find my data.
For reference, here's what the Infrastructure UI looks like for configuring the index patterns:
Describe a specific use case for the feature:
I use versioned indexes like
logstash-7.2.0-auditbeat-2019.07.01
, and the SIEM UI just can't seem to find the Beats data I know is there (from FileBeat, MetricBeat, AuditBeat, and PacketBeat). As a result, I am unable to use what seems like a really useful part of Kibana.The text was updated successfully, but these errors were encountered: