Hello,
I’m trying to make logstash store suricata data to a specific elasticsearch index. When I delete template and elasticsearch index and then restart logstash - it works fine, but when logstash creates new daily elasticsearch index, it fails with this message.
Logstash version is 2.3.4
Elasticsearch version is 2.1.1
logstash.conf
input {
file {
path => ["/opt/suricata/eve.json"]
sincedb_path => ["/opt/suricata/sincedb.file"]
codec => json
type => "SuricataIDPS"
}
}
filter {
if [type] == "SuricataIDPS" {
date {
match => [ "timestamp", "ISO8601" ]
}
}
ruby {
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
}
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
if ![geoip.ip] {
if [dest_ip] {
geoip {
source => "dest_ip"
target => "geoip"
database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "suricata-logstash-%{+YYYY.MM.dd}"
template => "/etc/logstash/suricata.json"
template_name => "suricata-logstash"
template_overwrite => true
}
}
Template:
{
"order" : 0,
"template" : "suricata-logstash-*",
"settings" : {
"index.refresh_interval" : "5s"
},
"mappings" : {
"_default_" : {
"dynamic_templates" : [ {
"message_field" : {
"mapping" : {
"index" : "analyzed",
"omit_norms" : true,
"fielddata" : {
"format" : "disabled"
},
"type" : "string"
},
"match_mapping_type" : "string",
"match" : "message"
}
}, {
"string_fields" : {
"type" : "string",
"fields" : {
"raw" : {
"index" : "not_analyzed",
"ignore_above" : 256,
"doc_values" : true,
"type" : "string"
}
}
},
"match_mapping_type" : "string",
"match" : "*"
}, {
"float_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "float"
},
"match_mapping_type" : "float",
"match" : "*"
}
}, {
"double_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "double"
},
"match_mapping_type" : "double",
"match" : "*"
}
}, {
"byte_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "byte"
},
"match_mapping_type" : "byte",
"match" : "*"
}
}, {
"short_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "short"
},
"match_mapping_type" : "short",
"match" : "*"
}
}, {
"integer_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "integer"
},
"match_mapping_type" : "integer",
"match" : "*"
}
}, {
"long_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "long"
},
"match_mapping_type" : "long",
"match" : "*"
}
}, {
"date_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "date"
},
"match_mapping_type" : "date",
"match" : "*"
}
}, {
"geo_point_fields" : {
"mapping" : {
"doc_values" : true,
"type" : "geo_point"
},
"match_mapping_type" : "geo_point",
"match" : "*"
}
} ],
"properties" : {
"@timestamp" : {
"doc_values" : true,
"type" : "date"
},
"geoip" : {
"dynamic" : true,
"properties" : {
"location" : {
"doc_values" : true,
"type" : "geo_point"
},
"longitude" : {
"doc_values" : true,
"type" : "float"
},
"latitude" : {
"doc_values" : true,
"type" : "float"
},
"ip" : {
"doc_values" : true,
"type" : "ip"
}
},
"type" : "object"
},
"@version" : {
"index" : "not_analyzed",
"doc_values" : true,
"type" : "string"
}
},
"_all" : {
"enabled" : true,
"omit_norms" : true
}
}
},
"aliases" : { }
}
Thanks for your help.