I can see that the field tls.server.ja3s cannot be parsed as it send by eve.json. What are my options in this case? Drop it?
I am using 7.7.0 and suricata is 5.0.3.
May 18 19:08:30 mrkilo filebeat[16036]: 2020-05-18T19:08:30.212Z#011WARN#011[elasticsearch]#011elasticsearch/client.go:384#011Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0x1873f6c8, ext:63725425705, loc:(*time.Location)(nil)}, Meta:{"pipeline":"filebeat-7.7.0-suricata-eve-pipeline"}, Fields:{"agent":{"ephemeral_id":"c8f279d8-10a5-4f15-8b35-5d81e6431afa","hostname":"mrkilo","id":"b91f000c-78bf-4633-a8a9-740b84fcc69d","type":"filebeat","version":"7.7.0"},"destination":{"address":"1.1.1.1","ip":"1.1.1.1","port":853},"ecs":{"version":"1.5.0"},"event":{"category":["network"],"created":"2020-05-18T19:08:29.151139539Z","dataset":"suricata.eve","kind":"event","module":"suricata","original":"{\"timestamp\":\"2020-05-18T19:08:25.410253+0000\",\"flow_id\":1935118405569798,\"in_iface\":\"enp2s0\",\"event_type\":\"tls\",\"src_ip\":\"192.168.0.41\",\"src_port\":48916,\"dest_ip\":\"1.1.1.1\",\"dest_port\":853,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"FB346039_0\",\"FB369639_\",\"FB332502_\"]},\"tls\":{\"subject\":\"C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflare-dns.com\",\"issuerdn\":\"C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA\",\"serial\":\"01:CC:E3:18:DE:9F:56:7F:AB:2B:24:90:1F:AD:A7:1D\",\"fingerprint\":\"66:56:84:01:72:b4:fb:bc:d6:d0:a4:a1:03:49:1e:93:00:4d:19:5f\",\"version\":\"TLS 1.2\",\"notbefore\":\"2019-01-28T00:00:00\",\"notafter\":\"2021-02-01T12:00:00\",\"ja3\":{},\"ja3s\":{}}}","type":["protocol"]},"fileset":{"name":"eve"},"host":{"architecture":"x86_64","containerized":false,"hostname":"mrkilo","id":"c7bda365e7514d15a201813a4f7c3348","ip":["192.168.0.17","2601:602:880:b0c0::2905","2601:602:880:b0c0:2c0:8ff:fe93:ed95","fe80::2c0:8ff:fe93:ed95","172.17.0.1"],"mac":["00:c0:08:93:ed:95","b8:08:cf:d4:ee:87","02:42:e8:11:7c:af"],"name":"mrkilo","os":{"codename":"bionic","family":"debian","kernel":"4.15.0-99-generic","name":"Ubuntu","platform":"ubuntu","version":"18.04.4 LTS (Bionic Beaver)"}},"input":{"type":"log"},"log":{"file":{"path":"/var/log/suricata/eve.json"},"offset":225635605},"network":{"community_id":"1:TPBDWQGM6MKIoTWI42pBKf/6v+M=","protocol":"tls","transport":"TCP"},"related":{"ip":["192.168.0.41","1.1.1.1"]},"service":{"type":"suricata"},"source":{"address":"192.168.0.41","ip":"192.168.0.41","port":48916},"suricata":{"eve":{"event_type":"tls","flow_id":1935118405569798,"in_iface":"enp2s0","metadata":{"flowbits":["FB346039_0","FB369639_","FB332502_"]},"tls":{"fingerprint":"66:56:84:01:72:b4:fb:bc:d6:d0:a4:a1:03:49:1e:93:00:4d:19:5f","issuerdn":"C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA","ja3":{},"ja3s":{},"notafter":"2021-02-01T12:00:00","notbefore":"2019-01-28T00:00:00","serial":"01:CC:E3:18:DE:9F:56:7F:AB:2B:24:90:1F:AD:A7:1D","subject":"C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflare-dns.com","version":"TLS 1.2"}}},"tags":["suricata"],"tls":{"server":{"hash":{"sha1":"66:56:84:01:72:b4:fb:bc:d6:d0:a4:a1:03:49:1e:93:00:4d:19:5f"},"issuer":"C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA","ja3s":{},"not_after":"2021-02-01T12:00:00","not_before":"2019-01-28T00:00:00","subject":"C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflare-dns.com"},"version":"1.2","version_protocol":"tls"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0008249c0), Source:"/var/log/suricata/eve.json", Offset:225636282, Timestamp:time.Time{wall:0xbfa8d45bb8385cfa, ext:191540680, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x40071, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [tls.server.ja3s] of type [keyword] in document with id 'sqsvKXIBsSvJHRVv_Lhh'. Preview of field's value: '{}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:1457"}}