Issue: During the fresh installation of Sentinel after enabling event visualization, the security.events.normalized_* index in Kibana does not displays all the required fields.
Or
Error message illegal_argument_exception is displayed, once the Sentinel 8.3.1 Elasticsearch Clustered Setup is Updated to Sentinel 8.5.1. Either mapping is not proper or you observe any error for aggregation and sorting like this in Kibana:
Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [dt] in order to load field data by uninverting the inverted index. Note that this can use significant memory
Workaround: Perform the following steps to remake the event index pattern:
Delete the index pattern (security.events.normalized_*) from the Kibana management tab.
Delete the indices by following the below command (security.events.normalized_*) from Elasticsearch:
curl -X DELETE <ES_IP>:9200/security.events.normalized_*
Go to the /opt/novell/sentinel/bin directory.
Specify the following command to change to novell user:
su novell
Run the following command to apply the mapping template on the events index on Elasticsearch:
./elasticsearch_index_template.sh <ES_IP> 9200 security.events.normalized_* <Number of Shards> <Number of Replicas>
Run the following command to create the proper index pattern:
./create_kibana_index_pattern.sh <http://localhost:5601> security.events.normalized_*
When the events reach Elasticsearch, security.events.normalized_* index is created automatically in Elasticsearch.