Hello,
I'm trying to make logstash store suricata data to a specific elasticsearch index. When I delete template and elasticsearch index and then restart logstash - it works fine, but when logstash creates new daily elasticsearch index, it fails with this message.
Logstash version is 2.3.4
Elasticsearch version is 2.1.1
logstash.conf
input {
file {
path => ["/opt/suricata/eve.json"]
sincedb_path => ["/opt/suricata/sincedb.file"]
codec => json
type => "SuricataIDPS"
}
}
filter {
if [type] == "SuricataIDPS" {
date {
match => [ "timestamp", "ISO8601" ]
}
}
ruby {
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
}
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
if ![geoip.ip] {
if [dest_ip] {
geoip {
source => "dest_ip"
target => "geoip"
database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "suricata-logstash-%{+YYYY.MM.dd}"
template => "/etc/logstash/suricata.json"
template_name => "suricata-logstash"
template_overwrite => true
}
}
Template:
{ "order" : 0, "template" : "suricata-logstash-*", "settings" : { "index.refresh_interval" : "5s" }, "mappings" : { "_default_" : { "dynamic_templates" : [ { "message_field" : { "mapping" : { "index" : "analyzed", "omit_norms" : true, "fielddata" : { "format" : "disabled" }, "type" : "string" }, "match_mapping_type" : "string", "match" : "message" } }, { "string_fields" : { "type" : "string", "fields" : { "raw" : { "index" : "not_analyzed", "ignore_above" : 256, "doc_values" : true, "type" : "string" } } }, "match_mapping_type" : "string", "match" : "*" }, { "float_fields" : { "mapping" : { "doc_values" : true, "type" : "float" }, "match_mapping_type" : "float", "match" : "*" } }, { "double_fields" : { "mapping" : { "doc_values" : true, "type" : "double" }, "match_mapping_type" : "double", "match" : "*" } }, { "byte_fields" : { "mapping" : { "doc_values" : true, "type" : "byte" }, "match_mapping_type" : "byte", "match" : "*" } }, { "short_fields" : { "mapping" : { "doc_values" : true, "type" : "short" }, "match_mapping_type" : "short", "match" : "*" } }, { "integer_fields" : { "mapping" : { "doc_values" : true, "type" : "integer" }, "match_mapping_type" : "integer", "match" : "*" } }, { "long_fields" : { "mapping" : { "doc_values" : true, "type" : "long" }, "match_mapping_type" : "long", "match" : "*" } }, { "date_fields" : { "mapping" : { "doc_values" : true, "type" : "date" }, "match_mapping_type" : "date", "match" : "*" } }, { "geo_point_fields" : { "mapping" : { "doc_values" : true, "type" : "geo_point" }, "match_mapping_type" : "geo_point", "match" : "*" } } ], "properties" : { "@timestamp" : { "doc_values" : true, "type" : "date" }, "geoip" : { "dynamic" : true, "properties" : { "location" : { "doc_values" : true, "type" : "geo_point" }, "longitude" : { "doc_values" : true, "type" : "float" }, "latitude" : { "doc_values" : true, "type" : "float" }, "ip" : { "doc_values" : true, "type" : "ip" } }, "type" : "object" }, "@version" : { "index" : "not_analyzed", "doc_values" : true, "type" : "string" } }, "_all" : { "enabled" : true, "omit_norms" : true } } }, "aliases" : { }}
Thanks for your help.