Filebeat pipping Suricatas eve.json issues

eriknox · March 31, 2020, 2:39pm

Hello all,

I have Elastic 7.6.1 up and running without the use of Logstash. My issue that I have is that I cannot get Filebeat to ingest Suricata. I have the module imported. Suricata is alerting and dropping the json into the eve.json file. Filebeat is configured to look in there and has loaded the dashboards. I can be more verbose, just let me know what you need to know.

/etc/filebeat/modules.d/suricata.yml

#Module: suricata
- module: suricata
  #All logs
  eve:
    enabled: true
    var.paths: [“/usr/local/var/log/suricata/eve.json”]

filebeat.yml

setup.kibana:
  host: "192.168.1.200:5601"
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
output.elasticsearch:
  hosts: ["192.168.1.200:9200"]

````````````````````````````````````

Any help would be much appreciated.

eriknox · March 31, 2020, 5:55pm

Solved. var.paths: [“/usr/local/var/log/suricata/eve.json”]

The quotations were copied from another document and they were "enriched"....

Topic		Replies	Views
Filebeat doesn't catchup with suricata eve.json Beats filebeat	7	1871	September 9, 2021
I didnt get suricata eve.json Kibana	5	1570	August 29, 2019
No data in suricata dashboard Beats filebeat	7	506	February 20, 2024
Using the Filebeat Suricata Module for EVE-Logs in Syslog messages Beats beats-module , filebeat	1	936	October 7, 2020
Filebeat issue## Beats filebeat	1	353	February 28, 2020

Filebeat pipping Suricatas eve.json issues

Related Topics