Trying to ingest the below event:
{"modified": "2019-12-27 16:08:00", "published": "2015-03-08 02:59:00", "access": {"authentication": "none", "complexity": "low", "vector": "network"}, "assigner": "cve@mitre.org", "capec": [], "cvss": 5.0, "cvss-time": "2019-12-27 16:08:00", "cvss-vector": "av:n/ac:l/au:n/c:n/i:n/a:p", "cwe": "cwe-189", "id": "cve-2015-2189", "impact": {"availability": "partial", "confidentiality": "none", "integrity": "none"}, "last-modified": {"$date": 1577462880000}, "redhat": {"advisories": [{"rhsa": {"id": "rhsa-2015:1460"}}], "rpms": ["wireshark-0:1.8.10-17.el6", "wireshark-debuginfo-0:1.8.10-17.el6", "wireshark-devel-0:1.8.10-17.el6", "wireshark-gnome-0:1.8.10-17.el6", "wireshark-0:1.10.14-7.el7", "wireshark-debuginfo-0:1.10.14-7.el7", "wireshark-devel-0:1.10.14-7.el7", "wireshark-gnome-0:1.10.14-7.el7"]}, "references": ["http://advisories.mageia.org/mgasa-2015-0117.html", "http://lists.opensuse.org/opensuse-updates/2015-03/msg00038.html", "http://rhn.redhat.com/errata/rhsa-2015-1460.html", "http://www.debian.org/security/2015/dsa-3210", "http://www.mandriva.com/security/advisories?name=mdvsa-2015:183", "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html", "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", "http://www.securityfocus.com/bid/72944", "http://www.securitytracker.com/id/1031858", "http://www.wireshark.org/security/wnpa-sec-2015-08.html", "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10895", "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a835c85e3d662343d7283f1dcdacb8a11d1d0727", "https://security.gentoo.org/glsa/201510-03"], "refmap": {"bid": ["72944"], "confirm": ["http://advisories.mageia.org/mgasa-2015-0117.html", "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html", "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", "http://www.wireshark.org/security/wnpa-sec-2015-08.html", "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10895", "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a835c85e3d662343d7283f1dcdacb8a11d1d0727"], "debian": ["dsa-3210"], "gentoo": ["glsa-201510-03"], "mandriva": ["mdvsa-2015:183"], "sectrack": ["1031858"], "suse": ["opensuse-su-2015:0489"]}, "summary": "off-by-one error in the pcapng_read function in wiretap/pcapng.c in the pcapng file parser in wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via an invalid interface statistics block (isb) interface id in a crafted packet.", "vulnerable_configuration": [{"id": "cpe:2.3:a:wireshark:wireshark:1.10.0:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.0:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.1:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.1:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.2:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.2:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.3:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.3:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.4:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.4:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.5:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.5:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.6:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.6:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.7:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.7:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.8:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.8:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.9:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.9:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.10:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.10:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.11:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.11:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.10.12:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.10.12:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.12.0:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.12.0:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.12.1:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.12.1:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.12.2:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.12.2:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:a:wireshark:wireshark:1.12.3:*:*:*:*:*:*:*", "title": "cpe:2.3:a:wireshark:wireshark:1.12.3:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*", "title": "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*", "title": "cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "title": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "title": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "title": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "title": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:o:mageia:mageia:4.0:*:*:*:*:*:*:*", "title": "cpe:2.3:o:mageia:mageia:4.0:*:*:*:*:*:*:*"}], "vulnerable_configuration_cpe_2_2": [], "vulnerable_product": ["cpe:2.3:a:wireshark:wireshark:1.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.1:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.2:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.3:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.4:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.5:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.6:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.7:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.8:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.9:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.10:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.11:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.10.12:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.12.1:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.12.2:*:*:*:*:*:*:*", "cpe:2.3:a:wireshark:wireshark:1.12.3:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:mageia:mageia:4.0:*:*:*:*:*:*:*"]}
with this config:
input {
file {
mode => "read"
file_chunk_size => 512000
path => "/*.*"
stat_interval => 2
}
}
filter {
json {
source => "message"
}
date {
match => [ "published", "yyyy-MM-dd HH:mm:ss" ]
}
}
and getting this error:
[filewatch.readmode.handlers.readfile] buffer_extract: a delimiter can't be found in current chunk, maybe there are no more delimiters or the delimiter is incorrect or the text before the delimiter, a 'line', is very large, if this message is logged often try increasing the `file_chunk_size` setting. {"delimiter"=>"\n", "read_position"=>0, "bytes_read_count"=>6905, "last_known_file_size"=>6905, "file_path"=>"/1cve.json"}
I have a dataset of over 46k events and three of these have this date parse failure. These three events are not the longest events, nor do they come at the beginning or end of a file...so I'm not sure what the problem is. All these events actually reside in a single file.
What am I missing??