Filebeat with Suricata in Windows can't parse log file

jkana · June 29, 2019, 3:12am

Hello,
I have issue with filebeat while parsing Suricata log to ELK. My Filebeat 7.0.2 on Windows can't parse Suricata logs to ELK. It seem a bug in Filebeat on Windows since Filebeat on my Linux work correctly

Here is my log
// 2019-06-28T17:53:00.084+0700 WARN elasticsearch/client.go:527 Cannot index event publisher.Event
{Content:beat.Event{Timestamp:time.Time{wall:0xbf3d9a4256f0ae40, ext:3052820301, loc:(*time.Location)(0x22ef320)}, Meta:common.MapStr{"pipeline":"filebeat-7.2.0-suricata-eve-pipeline"}, Fields:common.MapStr{"agent":common.MapStr{"ephemeral_id":"7c204391-3628-493e-92f0-7a569837bdcd", "hostname":"WIN-2029I99PBF7", "id":"5df36cd9-df76-46e4-a1c8-b895e974a975", "type":"filebeat", "version":"7.2.0"}, "ecs":common.MapStr{"version":"1.0.0"}, "event":common.MapStr{"dataset":"suricata.eve", "module":"suricata"}, "fileset":common.MapStr{"name":"eve"}, "host":common.MapStr{"architecture":"x86_64", "hostname":"WIN-2029I99PBF7", "id":"cdb4aed9-9153-4a67-a3e8-7b5ac5aed362", "name":"WIN-2029I99PBF7", "os":common.MapStr{"build":"9600.0", "fa
mily":"windows", "kernel":"6.3.9600.18505 (winblue_ltsb.160930-0600)", "name":"Windows Server 2012 R2 Standard", "platform":"windows", "version":"6.3"}}, "input":common.MapStr{"type":"log"}, "json":common.MapStr{"dest_ip":"113.171.234.133", "dest_port":80, "event_type":"flow", "flow":common.MapStr{"age":4, "alerted":false, "bytes_toclient":0, "bytes_toserver":132, "end":"2019-06-28T17:51:17.012998SE Asia Standard Time", "pkts_toclient":0, "pkts_toserver":2, "reason":"timeout", "start":"2019-06-28T17:51:13.999170SE Asia Standard Time", "state":"new"}, "flow_id":1139398739574530, "proto":"TCP","src_ip":"x.x.x.x", "src_port":60529, "tcp":common.MapStr{"cwr":true, "ecn":true, "state":"syn_sent", "syn":true,"tcp_flags":"c2", "tcp_flags_tc":"00", "tcp_flags_ts":"c2"}, "timestamp":"2019-06-28T17:52:18.003075SE Asia Standard Time"}, "log":common.MapStr{"file":common.MapStr{"path":"c:\program files\suricata\log\eve.json"}, "offset":3097823}, "network":common.MapStr{"community_id":"1:TpaCvdUiD49JnH9y2pOBNVvaAFA="}, "service":common.MapStr{"type":"suricata"}, "tags":string{"suricata"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0000d2230), Source:"c:\program files\suricata\log\eve.json", Offset:3098407, Timestamp:time.Time{wall:0xbf3d9a419d2cff48, ext:157436501, loc:(*time.Location)(0x22ef320)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{IdxHi:0x760000, IdxLo:0x1f9a1, Vol:0x78fbdf13}}, TimeSeries:false}, Flags:0x1} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse","caused_by":{"type":"illegal_argument_exception","reason":"Cannot write to a field alias [suricata.eve.proto]."}}

Here are some informations:

ELK Version: 7.0.2
Filebeat : 7.0.2
Suricata: 4.1.4
Operating System: Windows Server 2012

faec · July 3, 2019, 8:49pm

Welcome! Can you share the filebeat.yml that goes with this error?

jkana · July 4, 2019, 1:16am

Hi Fae,

It seem Filebeat 7.0.2 doesn't support Suricata 4.1.4 now. I tried to use Suricata 4.0.4 and it worked well.

Maybe there are some difference in logs between Suricata 4.1.4 and Suricata 4.0.4.

Rgrds,

system · August 1, 2019, 1:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.