kibana 7.2 elasticsearch 7.2 filebeat 6.7.2
filebeat modules enable suricata
suricata.yaml
filebeat.yml
filebeat -e -d "publish"
we can see that the content of eve.json has read out, but can not display in kibana
can anyone help me?
A couple things to begin debugging - we need to first figure out if the data is making it into Elasticsearch.
What is the output of GET /_cat/indices (docs)
Check the filebeat logs for errors. Where these logs are depends on how you have installed Filebeat. If you need assistance with this let me know the OS and how you install Filebeat.
Looking at your config, I wonder if there are issues, as witheve-log.enabled: yes. This should be a boolean value, true. Additionaly, the comment for filetype gives some possible values, but you have a value of file which is not provided as an option. Maybe you want regular? The Beats topic could probably assist you more with that.
Some additional information from @HaranKumar:
- When the module is enabled, there is no need to define the path in filebeat.yml
- Add the path within the suricata module file inside the module folder.
- Run “filebeat setup”
now i can get the eve.json on kibana ,thanks all.