iukea
August 8, 2019, 5:15pm
1
Hello,
I am trying to build some cool looking maps, but I am a bit stumped.
goal
Trying to build an attack map out of Suricata logs
I have the src_ip address and the dst_ip address, and my goal is to do kinda what the "The Nature Conservancy" did.
Link to there visualization. https://www.elastic.co/products/maps
I also have GeoIp data on those Ip addresses. (Lat, long etc)
I can get the little circle and heat maps on the map, but I am stumped on the "lines"/"attack path" that connect the dots together with a line.
I was doing some reading on the Polygon Style properties, but don't know if that is the correct path to go down.
- running (system specifics)
- elasticsearch 7.3 (dockered)
- Kibana 7.3 (dockered)
Hi @iukea ,
Have you tried to load the demo data from here ? It should give you an idea of what parameters are used to create such a visualization at least. This demo data is from Elastic Maps for Geospatial Analysis webinar that you can also watch I believe.
Best,
iukea
August 9, 2019, 9:56pm
3
Thank you very much! I will try this out here tonight!
iukea
August 10, 2019, 1:53pm
4
interesting getting
{"statusCode":400,"error":"Bad Request","message":"child "id" fails because ["id" is not allowed to be empty]","validation":{"source":"params","keys":["id"]}}
when i run the command
curl -X POST 'http://localhost:5601/api/saved_objects/map/' -H 'Content-Type: application/json' -H "kbn-xsrf: true" -d "@Suricata_Events_Dark.json"
alexf
August 12, 2019, 5:13pm
5
Hi @iukea , I just updated the instructions for 7.3. This includes both a map and a dashboard with the map embedded. Check out the latest instructions here . Feel free to reach out if you run into any other issues!
iukea
August 25, 2019, 2:05am
6
Hello, I keep on getting the flowing error when I try to add the mapping to my logs. Any suggestions?
{
"took": 4611,
"timed_out": false,
"total": 129784,
"updated": 0,
"created": 0,
"deleted": 0,
"batches": 1,
"version_conflicts": 0,
"noops": 0,
"retries": {
"bulk": 0,
"search": 0
},
"throttled_millis": 0,
"requests_per_second": -1,
"throttled_until_millis": 0,
"failures": [
{
"index": "devfilebeat-2019.08.20",
"type": "_doc",
"id": "zhpJrWwB8yKfK91YDd8i",
"cause": {
"type": "mapper_parsing_exception",
"reason": "object mapping for [source] tried to parse field [source] as object, but found a concrete value"
},
"status": 400
},
{
"index": "devfilebeat-2019.08.20",
"type": "_doc",
"id": "zxpJrWwB8yKfK91YDd8i",
"cause": {
"type": "mapper_parsing_exception",
"reason": "object mapping for [source] tried to parse field [source] as object, but found a concrete value"
},
"status": 400
},
{
stephenb
August 25, 2019, 3:58pm
7
object mapping for [source] tried to parse field [source] as object, but found a concrete value
That looks like you have a missmatch between the mapping definition and the actual data you are trying to ingest.
Perhaps show your mapping and the sample of the data and we might be able to help.
I am a little unclear on
I keep on getting the flowing error when I try to add the mapping to my logs.
Typically you add the mapping first with an index_template and then ingest the data there is very few cases when you can update a mapping
Perhaps I am miss-understanding
BTW I just loaded @alexf demo data in 7.3.1 worked great!
If you look at that data in Discover you can see the request_path field which looks like this
request_path
{
"type": "linestring",
"coordinates": [
[
25.21285,
45.7816
],
[
139.691711,
35.689487
]
]
}
and in the request_path mapping in the filebeat mapping you can see the geo_shape mapping type
"request_path" : {
"type" : "geo_shape"
}
You will need something like that to add to the map to get the lines.
system
September 22, 2019, 3:59pm
8
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
