Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] "LME Status dashboard" empty, but Kibana is full of logs from clients #16

Closed
braimee opened this issue May 3, 2019 · 6 comments

Comments

Projects
None yet
2 participants
@braimee
Copy link

commented May 3, 2019

Describe the issue
I think this could very well be a "just me" issue, but my LME Status Dashboard is empty, yet under "Discover" the events are pouring in.

To Reproduce

  1. Follow LME instructions until you get to the point of installing winlogbeats service.

  2. Notice that Kibana is up and running but not collecting any events.

  3. Don't follow the directions and install the winlogbeat service without the files being in the right place :-(

  4. Stop/uninstall winlogbeat

  5. Put files in the right paths :-)

  6. Reinstall winlog beat

  7. Check that winlogbeat is started and winlogbeat log is free of errors.

  8. Check Kibana and see under "discover" that events are pouring in.

  9. Click Dashboard->LME Status Dashboard and note 0 events and 0 computers found.

  10. Delete the dashboard and reimport for good luck.

  11. Still an empty LME status dashboard.

Anything else I can try?

Thanks,
Brian

@braimee braimee added the bug label May 3, 2019

@duncan-ncc

This comment has been minimized.

Copy link
Collaborator

commented May 3, 2019

Hi @braimee did you delete the default index as well or refresh the field mappings?
The only thing I can think of at the moment is your fields haven't been updated (if this is the case you will see an orange triangle when you expand an entry in discover)

@braimee

This comment has been minimized.

Copy link
Author

commented May 3, 2019

Hey there (and holy cow thanks for all your quick replies!), all I did on the Kibana side is run the install, log into the interface and then import the LME dashboards. However, maybe I am experiencing the issue with fields? Here's one of my events expanded:

Screen Shot 2019-05-03 at 11 30 25 AM

Brian

@duncan-ncc

This comment has been minimized.

Copy link
Collaborator

commented May 7, 2019

Hi @braimee it does look like you are having an issue with the fields (without looking into it in more detail its hard to say why this happened)
If you go to Management > Index Patterns and press Refresh Field List (in the top right) this should fix your issue.

@braimee

This comment has been minimized.

Copy link
Author

commented May 7, 2019

I followed these steps but I might've broken the world even more now? After refreshing fields, my individual events look better:

event

But the dashboard now looks all sad:

dashboard

Should I be reimporting that dashboard .json file in these steps at all?

Brian

@duncan-ncc

This comment has been minimized.

Copy link
Collaborator

commented May 7, 2019

Hi @braimee

Can you confirm you have the lastest Dashboards? It does look like you have old dashboards (the fields should be mapped properly if you imported the dashboards for example), can you make sure you have the latest from the git (dashboard 0.1.2.json)

@braimee

This comment has been minimized.

Copy link
Author

commented May 8, 2019

That did it, thank you! And thanks for all your great work on this, I'm REALLY excited to watch this project as it moves forward. Also, I talked about LME on my podcast this past week so I'm trying to spread the word :-)

@braimee braimee closed this May 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.