Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fails to open the Filebeat auditd dashboard in Kibana #4595

Closed
monicasarbu opened this issue Jul 3, 2017 · 4 comments
Closed

Fails to open the Filebeat auditd dashboard in Kibana #4595

monicasarbu opened this issue Jul 3, 2017 · 4 comments
Labels
:Dashboards Filebeat Filebeat

Comments

@monicasarbu
Copy link
Contributor

After loading the dashboard for the auditd module in Filebeat, the following error is printed by Kibana:

screen shot 2017-07-03 at 2 31 02 pm
@monicasarbu monicasarbu mentioned this issue Jul 3, 2017
Closed
12 tasks
@monicasarbu
Copy link
Contributor Author

@andrewkroh can you please have a look? Maybe the error disappears after you have some data.

@andrewkroh
Copy link
Member

That error makes me think that there is a error parsing the JSON query string. I should be able to run the Filebeat modules test suite to get some data populated in ES and see what happens.

@andrewkroh
Copy link
Member

andrewkroh commented Jul 5, 2017
edited
Loading

I narrow the error down to being caused by the Timelion graph no longer accepting

.es(q="_exists_:auditd.log NOT auditd.log.res:failure").label("Success") .es(q="auditd.log.res:failed").label("Failure").title("Audit Event Result")

The full error is:

Timelion: Error: in cell #1: [parsing_exception] [query_string] unknown token [START_OBJECT] after [query], with { line=1 & col=297 }
Error:  in cell #1: [parsing_exception] [query_string] unknown token [START_OBJECT] after [query], with { line=1 & col=297 }
    at throwWithCell (/usr/share/kibana/src/core_plugins/timelion/server/handlers/chain_runner.js:48:11)
    at /usr/share/kibana/src/core_plugins/timelion/server/handlers/chain_runner.js:214:11
    at bound (domain.js:280:14)
    at runBound (domain.js:293:12)
    at tryCatcher (/usr/share/kibana/node_modules/bluebird/js/main/util.js:26:23)
    at Promise._settlePromiseFromHandler (/usr/share/kibana/node_modules/bluebird/js/main/promise.js:503:31)
    at Promise._settlePromiseAt (/usr/share/kibana/node_modules/bluebird/js/main/promise.js:577:18)
    at Promise._settlePromises (/usr/share/kibana/node_modules/bluebird/js/main/promise.js:693:14)
    at Async._drainQueue (/usr/share/kibana/node_modules/bluebird/js/main/async.js:123:16)
    at Async._drainQueues (/usr/share/kibana/node_modules/bluebird/js/main/async.js:133:10)
    at Immediate.Async.drainQueues (/usr/share/kibana/node_modules/bluebird/js/main/async.js:15:14)
    at runCallback (timers.js:666:20)
    at tryOnImmediate (timers.js:639:5)
    at processImmediate [as _immediateCallback] (timers.js:611:5)

kibana-timelion-6 0 0-alpha3-auditd-query

I pasted the same expression into a 5.2.2 instance I had running and there was no error.

kibana-timelion-5 2 2-auditd-query

@andrewkroh
Copy link
Member

Adding a comma between the expressions seems to fix the issue.

tsg pushed a commit to tsg/beats that referenced this issue Aug 18, 2017
Renamed Filebeat Auditd dashboards and visualizations
d1a6dbb 
Also fixes elastic#4595, there was a missing comma.
@andrewkroh andrewkroh mentioned this issue Aug 18, 2017
Merged
9 tasks
tsg added a commit to tsg/beats that referenced this issue Aug 23, 2017
@tsg
Filebeat modules: Rename dashboards and visualization (elastic#4952)
a51a884 
* Renamed fields in Apache2 and Nginx modules

* Renamed Filebeat Auditd dashboards and visualizations

Also fixes elastic#4595, there was a missing comma.

* Rename the dashboards/viz for the system module

This addresses in part elastic#4567.

* updated the icinga module dashboard. Also fixed the searches to not depend on the file names

* Updated mysql dashboard

* Updated redis dashboard

* Renamed one more postgres viz

(cherry picked from commit 807bc43)
ruflin pushed a commit that referenced this issue Aug 24, 2017
@tsg @ruflin
Filebeat modules: Rename dashboards and visualization (#4952) (#4985)
a7e6d3c 
* Renamed fields in Apache2 and Nginx modules

* Renamed Filebeat Auditd dashboards and visualizations

Also fixes #4595, there was a missing comma.

* Rename the dashboards/viz for the system module

This addresses in part #4567.

* updated the icinga module dashboard. Also fixed the searches to not depend on the file names

* Updated mysql dashboard

* Updated redis dashboard

* Renamed one more postgres viz

(cherry picked from commit 807bc43)
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@tsg @ruflin
Filebeat modules: Rename dashboards and visualization (elastic#4952) (e…
bc44126 
…lastic#4985)

* Renamed fields in Apache2 and Nginx modules

* Renamed Filebeat Auditd dashboards and visualizations

Also fixes elastic#4595, there was a missing comma.

* Rename the dashboards/viz for the system module

This addresses in part elastic#4567.

* updated the icinga module dashboard. Also fixed the searches to not depend on the file names

* Updated mysql dashboard

* Updated redis dashboard

* Renamed one more postgres viz

(cherry picked from commit 56e9d10)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Dashboards Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewkroh @monicasarbu