From Logstash to Filebeat (Suricata module) - Substring Search No Longer Works

I'm testing a move from Logstash to Filebeat with the Suricata plugin and I'm noticing that substring searching no longer works.

For example, when I used Logstash (no custom template, just defaults, but JSON codec), I could simply search in Kibana for "ET POLICY" and see records where a certain field started with "ET POLICY". With Filebeat, all defaults, but Suricata module, this no longer works. However searching for the full value of the field, "ET POLICY curl User-Agent Outbound" returns results.

First, is this expected behaviour? And second, is there a way to do a sub-string search on values added with Filebeat (and/or the Suricata module)?

I have tested adding Suricata JSON records without the Suricata module (to avoid the ECS conversion) and have found the same thing. My feeling is that these fields aren't analyzed like they were with the default Logstash template.

Thanks for any insight. I actually develop a tools to work with Suricata events using an Elasticsearch backend, and I try to make it play nice with the Elastic stack. I'm finally getting around to adding ECS support as I'm seeing more users try the Filebeat w/Suricata module.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.