Issue: During the fresh installation of Sentinel after enabling event visualization, the security.events.normalized_* index in Opensearch Dashboards does not display all the required fields.
Workaround: Perform the following steps to remake the event index pattern:
Delete the index pattern (security.events.normalized_*) from the Opensearch Dashboards management tab.
Go to the <sentinel_installation_path>/opt/novell/sentinel/bin directory.
Specify the following command to change to novell user:
su novell
Run the following command to delete the events index security.events.normalized_* from OpenSearch:
./opensearch_index_template.sh <OPENSEARCH_IP> <OPENSEARCH_PORT> security.events.normalized_* delete
For example:
./opensearch_index_template.sh localhost 9200 security.events.normalized_* delete
Run the following command to apply the mapping template on the events index on OpenSearch:
./opensearch_index_template.sh <OPENSEARCH_IP> <OPENSEARCH_PORT> security.events.normalized_* create <Number of Shards> <Number of Replicas>
For example:
./opensearch_index_template.sh localhost 9200 security.events.normalized_* create 6 1
Run the following command to create the proper index pattern in Opensearch Dashboards:
./create_opensearch_dashboards_index_pattern.sh https://localhost:5601 security.events.normalized_* <tenant_name>
When the events reach OpenSearch, security.events.normalized_* index is created automatically in OpenSearch.