6. Troubleshooting
If you run the detection with the ./mange.py impossible_travel command and you get the following error:
elasticsearch.exceptions.RequestError: RequestError(400, 'search_phase_execution_exception', 'Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [user.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.')
Probably you added the login data on Elasticsearch before the loading of the template.
Solution:
- Delete the data from the Stack Management → Index Management section
- Delete the template from Stack Management → Index Management → Index Templates
- Load again the template with the
./load_templates.shscript that you can find in the /config/elasticsearch/ BuffaLogs' folder - Recreate the login data using the
python random_example.pyscript.
If you have multiple errors and you'd like to reset all the Docker environment, follow the steps below:
Docker cleanup.
a. Delete BuffaLogs image. See all the images with docker images ls and delete the BuffaLogs image: docker rmi <image_ID
b. Remove containers. List all the containers launching docker container ls -a, then stop the container you want to delete if it's running: docker container stop <container_ID> and delete it with: docker container rm <container_ID
c. Remove volumes. Visualize all the volumes running docker volume ls and remove with docker volume rm <volume_name>