Hi all
I get the logs from suricata(eve.json) so I've enabled suricata module in filebeat.
But whenever I start filebeat, I got this error.
2021-08-13T18:11:18.650+0900 ERROR [reload] cfgfile/list.go:99 Error creating runner from config: failed to create input: Can only start an input when all related states are finished: {Id: native::12216862-129, Finished: false, Fileinfo: &{eve.json 4732 420 {802951655 63764442666 0x562c8bea5e40} {129 12216862 1 33188 0 0 0 0 4732 4096 16 {1628845832 278954369} {1628845866 802951655} {1628845866 802951655} [0 0 0]}}, Source: /var/log/suricata/eve.json, Offset: 9464, Timestamp: 2021-08-13 18:11:16.677225147 +0900 KST m=+89.312697257, TTL: -1ns, Type: log, Meta: map[], FileStateOS: 12216862-129}
I think because of this error, the filebeat module is not working well so logs were not parsed.
this is my filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/suricata/eve.json
filebeat.config:
modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true #false
setup.dashboards.enabled: true
setup.kibana.host: "http://kibana:5601"
output.elasticsearch:
hosts: [ "http://elasticsearch:9200" ]
username: elastic
password: password
setup.ilm.enabled: false
setup.ilm.check_exists: false
this is dockerfile for filebeat
FROM docker.elastic.co/beats/filebeat:7.13.4
#COPY ${pwd}/config/filebeat.yml /usr/share/filebeat/filebeat.yml
USER root
RUN chown root:filebeat /usr/share/filebeat/filebeat.yml
RUN filebeat modules enable suricata
USER filebeat
this is part of filebeat in docker-compose.yml.
filebeat:
build:
context: filebeat/
user: root
volumes:
- /var/lib/docker:/var/lib/docker:ro
- /var/run/docker.sock:/var/run/docker.sock
- {pwd}/test_elk/filebeat/config/filebeat.yml:/usr/share/filebeat/filebeat.yml
- {pwd}/test_elk/suricata/test_suricata_5.0/log:/var/log/suricata
entrypoint: "filebeat -e -strict.perms=false"
privileged: true
networks:
- elk
I don't know how can I solve this problem.
what is the problem and how can I solve this problem?
Thanks.