Currently using a pfSense running 2.4.x and a filebeat I built against 7.6.1 for FreeBSD. Whenever an alert comes in, I get:
error.message:cannot resolve [timestamp] from null as part of path [suricata.eve.timestamp]
Here's my suricata.yml:
- module: suricata
# All logs
eve:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths:
- "/var/log/suricata/*/eve.json*"
I had built filebeat against x-pack as wasn't sure if the oss version included it, and I think it may be working as when filebeat starts up I see without any errors:
2020-03-28T17:30:46.955-0400 INFO beater/filebeat.go:92 Enabled modules/filesets: suricata (eve)
as well as this if debug is enabled:
020-03-28T17:30:56.982-0400 DEBUG [input] log/config.go:204 recursive glob enabled
2020-03-28T17:30:56.982-0400 DEBUG [input] log/input.go:164 exclude_files: [(?-s:.)gz(?-m:$)]. Number of stats: 2
2020-03-28T17:30:56.982-0400 DEBUG [input] file/states.go:68 New state added for /var/log/suricata/suricata_igb051967/eve.json
2020-03-28T17:30:56.982-0400 DEBUG [publisher] pipeline/client.go:220 Pipeline client receives callback 'onFilteredOut' for event: {Timestamp:0001-01-01 00:00:00 +0000 UTC Meta:null Fields:null Private:{Id:882918-115 Finished:true Fileinfo:<nil> Source:/var/log/suricata/suricata_igb051967/eve.json Offset:2120297 Timestamp:2020-03-28 17:30:31.624443077 -0400 EDT TTL:-1ns Type:log Meta:map[] FileStateOS:882918-115} TimeSeries:false}
2020-03-28T17:30:56.982-0400 DEBUG [acker] beater/acker.go:64 stateful ack {"count": 1}
2020-03-28T17:30:56.983-0400 DEBUG [input] log/input.go:185 input with previous states loaded: 1
2020-03-28T17:30:56.983-0400 INFO log/input.go:152 Configured paths: [/var/log/suricata/*/eve.json*]
2020-03-28T17:30:56.983-0400 DEBUG [registrar] registrar/registrar.go:356 Processing 1 events
2020-03-28T17:30:56.983-0400 DEBUG [reload] cfgfile/list.go:101 Starting runner: suricata (eve)
2020-03-28T17:30:56.983-0400 DEBUG [registrar] registrar/registrar.go:326 Registrar state updates processed. Count: 1
2020-03-28T17:30:56.983-0400 DEBUG [registrar] registrar/registrar.go:346 Registrar states cleaned up. Before: 2, After: 2, Pending: 0
2020-03-28T17:30:56.983-0400 DEBUG [registrar] registrar/registrar.go:411 Write registry file: /usr/local/sbin/data/registry/filebeat/data.json (2)
Here's an example:
@timestamp Mar 28, 2020 @ 19:05:29.997
_id BMNkI3EBzBkAR07yrjJR
_index filebeat-7.6.1-2020.03.10-000001
_score -
_type _doc
agent.ephemeral_id bb1df2a5-2109-4c30-b8ee-0281e734dad5
agent.hostname firewall
agent.id bb1444d3-d287-4023-827e-940c25f8ca63
agent.type filebeat
agent.version 7.6.1
destination.address REMOVED
destination.ip REMOVED
destination.port 23
ecs.version 1.4.0
error.message cannot resolve [timestamp] from null as part of path [suricata.eve.timestamp]
event.created Mar 28, 2020 @ 19:05:31.998
event.dataset suricata.eve
event.module suricata
event.original {"timestamp":"2020-03-28T19:05:29.997845-0400","flow_id":1743764644772309,"in_iface":"igb0","event_type":"alert","src_ip":"31.163.149.200","src_port":63604,"dest_ip":"REMOVED","dest_port":23,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2403313,"rev":56306,"signature":"ET CINS Active Threat Intelligence Poor Reputation IP group 14","category":"Misc Attack","severity":2,"metadata":{"updated_at":["2020_03_27"],"created_at":["2013_10_08"],"signature_severity":["Major"],"tag":["CINS"],"deployment":["Perimeter"],"attack_target":["Any"],"affected_product":["Any"]}},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":64,"bytes_toclient":0,"start":"2020-03-28T19:05:29.997845-0400"},"payload":"","payload_printable":"","stream":0,"packet":"ANC3mo+JKKJLe35hCABFAAAoRI0AADYGn8ofo5XIRKCmbfh0ABdEoKZtAAAAAFAC42xIYwAAAAAAAAAAAAAAAA==","packet_info":{"linktype":1}}
fileset.name eve
host.name firewall
input.type log
log.file.path /var/log/suricata/suricata_igb051967/eve.json
log.offset 2,299,115
network.community_id 1:qeEmQjf3RrvU1PhMHxxAAqrPbbs=
network.transport TCP
service.type suricata
source.address 31.163.149.200
source.ip 31.163.149.200
source.port 63604
suricata.eve -
suricata.eve.timestamp Mar 28, 2020 @ 19:05:29.997
tags suricata
Thank you! New to Elastic so still learning.