-
|
I've got the following error repeating on the ingest pipeline: its on a new distributed install from ISO securityonion-2.4.20-20231012.iso any guidance would be appreciated. |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments
-
|
If you run |
Beta Was this translation helpful? Give feedback.
-
|
I re installed the environment and the error seems to be gone.. |
Beta Was this translation helpful? Give feedback.
-
|
Version Installation Method Description Installation Type Location Hardware Specs CPU RAM Storage for / Storage for /nsm Network Traffic Collection Network Traffic Speeds Status Salt Status Logs Details I'm also getting the same issue as the above user, however multiple re-installs of the manager, search node, and sensor did not seem to fix the issue. I ran sudo so-checkin and it completed without any errors as well. Guidelines |
Beta Was this translation helpful? Give feedback.
-
|
hey all, I was able to find the fix for this, the primary offender for the error log was system.syslog dataset which comes from the system integration. In the ingest pipeline for the system integration, it was converting syslog.timestamp to @timestamp. I set the target field for the "Date" processor to event.created After this change you'll find that you get another error saying that it couldn't parse the timestamp. The syslog timestamps come out looking like this: yyyy-MM-dd'T'HH:mm:ss.SSS'Z. Add that to the formats in the final ingestion pipeline date processor and voila! you'll no longer see the error |
Beta Was this translation helpful? Give feedback.
-
|
Hi, I still get millions of system.syslog events with same error.message : [ "failed in Fleet agent final_pipeline: field [created] not present as part of path [event.created]" ] Thanks for your help on this. |
Beta Was this translation helpful? Give feedback.
I re installed the environment and the error seems to be gone..