Filebeat with suricata cannot resolve timestamp from null

mloebl · March 28, 2020, 11:29pm

Currently using a pfSense running 2.4.x and a filebeat I built against 7.6.1 for FreeBSD. Whenever an alert comes in, I get:
error.message:cannot resolve [timestamp] from null as part of path [suricata.eve.timestamp]

Here's my suricata.yml:

- module: suricata
  # All logs
  eve:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths:
       - "/var/log/suricata/*/eve.json*"

I had built filebeat against x-pack as wasn't sure if the oss version included it, and I think it may be working as when filebeat starts up I see without any errors:
2020-03-28T17:30:46.955-0400 INFO beater/filebeat.go:92 Enabled modules/filesets: suricata (eve)

as well as this if debug is enabled:

020-03-28T17:30:56.982-0400	DEBUG	[input]	log/config.go:204	recursive glob enabled
2020-03-28T17:30:56.982-0400	DEBUG	[input]	log/input.go:164	exclude_files: [(?-s:.)gz(?-m:$)]. Number of stats: 2
2020-03-28T17:30:56.982-0400	DEBUG	[input]	file/states.go:68	New state added for /var/log/suricata/suricata_igb051967/eve.json
2020-03-28T17:30:56.982-0400	DEBUG	[publisher]	pipeline/client.go:220	Pipeline client receives callback 'onFilteredOut' for event: {Timestamp:0001-01-01 00:00:00 +0000 UTC Meta:null Fields:null Private:{Id:882918-115 Finished:true Fileinfo:<nil> Source:/var/log/suricata/suricata_igb051967/eve.json Offset:2120297 Timestamp:2020-03-28 17:30:31.624443077 -0400 EDT TTL:-1ns Type:log Meta:map[] FileStateOS:882918-115} TimeSeries:false}
2020-03-28T17:30:56.982-0400	DEBUG	[acker]	beater/acker.go:64	stateful ack	{"count": 1}
2020-03-28T17:30:56.983-0400	DEBUG	[input]	log/input.go:185	input with previous states loaded: 1
2020-03-28T17:30:56.983-0400	INFO	log/input.go:152	Configured paths: [/var/log/suricata/*/eve.json*]
2020-03-28T17:30:56.983-0400	DEBUG	[registrar]	registrar/registrar.go:356	Processing 1 events
2020-03-28T17:30:56.983-0400	DEBUG	[reload]	cfgfile/list.go:101	Starting runner: suricata (eve)
2020-03-28T17:30:56.983-0400	DEBUG	[registrar]	registrar/registrar.go:326	Registrar state updates processed. Count: 1
2020-03-28T17:30:56.983-0400	DEBUG	[registrar]	registrar/registrar.go:346	Registrar states cleaned up. Before: 2, After: 2, Pending: 0
2020-03-28T17:30:56.983-0400	DEBUG	[registrar]	registrar/registrar.go:411	Write registry file: /usr/local/sbin/data/registry/filebeat/data.json (2)

Here's an example:

@timestamp	Mar 28, 2020 @ 19:05:29.997
	_id	BMNkI3EBzBkAR07yrjJR
	_index	filebeat-7.6.1-2020.03.10-000001
	_score	 - 
	_type	_doc
	agent.ephemeral_id	bb1df2a5-2109-4c30-b8ee-0281e734dad5
	agent.hostname	firewall
	agent.id	bb1444d3-d287-4023-827e-940c25f8ca63
	agent.type	filebeat
	agent.version	7.6.1
	destination.address	REMOVED
	destination.ip	REMOVED
	destination.port	23
	ecs.version	1.4.0
	error.message	cannot resolve [timestamp] from null as part of path [suricata.eve.timestamp]
	event.created	Mar 28, 2020 @ 19:05:31.998
	event.dataset	suricata.eve
	event.module	suricata
	event.original	{"timestamp":"2020-03-28T19:05:29.997845-0400","flow_id":1743764644772309,"in_iface":"igb0","event_type":"alert","src_ip":"31.163.149.200","src_port":63604,"dest_ip":"REMOVED","dest_port":23,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2403313,"rev":56306,"signature":"ET CINS Active Threat Intelligence Poor Reputation IP group 14","category":"Misc Attack","severity":2,"metadata":{"updated_at":["2020_03_27"],"created_at":["2013_10_08"],"signature_severity":["Major"],"tag":["CINS"],"deployment":["Perimeter"],"attack_target":["Any"],"affected_product":["Any"]}},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":64,"bytes_toclient":0,"start":"2020-03-28T19:05:29.997845-0400"},"payload":"","payload_printable":"","stream":0,"packet":"ANC3mo+JKKJLe35hCABFAAAoRI0AADYGn8ofo5XIRKCmbfh0ABdEoKZtAAAAAFAC42xIYwAAAAAAAAAAAAAAAA==","packet_info":{"linktype":1}}
	fileset.name	eve
	host.name	firewall
	input.type	log
	log.file.path	/var/log/suricata/suricata_igb051967/eve.json
	log.offset	2,299,115
	network.community_id	1:qeEmQjf3RrvU1PhMHxxAAqrPbbs=
	network.transport	TCP
	service.type	suricata
	source.address	31.163.149.200
	source.ip	31.163.149.200
	source.port	63604
	suricata.eve	 - 
	suricata.eve.timestamp	Mar 28, 2020 @ 19:05:29.997
	tags	suricata

Thank you! New to Elastic so still learning.

ChrsMark · March 30, 2020, 8:38am

Hi @mloebl!

It seems to be working overall as we suggest. However I'm wondering at what part this error occurs, maybe at some processors like here: https://github.com/elastic/beats/blob/7eb2fba1f12e4bf0b623572d333ebc29e6f04202/x-pack/filebeat/module/suricata/eve/config/eve.yml#L38

Could you provide a complete output of Filebeat's logs (in debug mode) so as to see if there is something useful reported there?

mloebl · March 30, 2020, 1:14pm

Thank you the reply! I attached the debug log and marked REMOVED for a couple of the obvious personal stuff i took out. I also ran into a size limit here, so put it here:
https://pastebin.com/raw/twg6hmve

EDIT: Also unsure if related, but saw this old checkin from a year ago:

mloebl · March 31, 2020, 12:29am

I may have finally found it! I ran filebeat setup, again, and seems to be working. First time I ran filebeat setup now that I think about it was with the oss version, so wondering if it didn't properly add the fields. I noticed I got a dozen new fields this time and looking much better.

system · April 28, 2020, 12:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.