Hello Team,
I mounted my lab with suricata and web servers. I tried send log suricata to ELK. But I received error when i did the parse
My conf:
input {
udp {
port => "514"
type => "syslog"
}
}
filter {
json {
source => "message"
}
}
output {
stdout {}
}
But I received this error:
[2020-09-17T11:42:25,613][WARN ][logstash.filters.json ][main][c3ae95835f9d11e27a9b4e7c14651433b6767ca87df67a270462822942fd6c02] Error parsing json {:source=>"message", :raw=>"<13>Sep 16 18:07:59 proapps-security suricata-halfling: {"timestamp":"2020-09-17T11:42:04.985994-0300","flow_id":738087809626408,"in_iface":"ix1","event_type":"alert","src_ip":"99.125.125.125","src_port":9999,"dest_ip":"192.168.0.1","dest_port":389,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2016150,"rev":2,"signature":"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)","category":"Attempted User Privilege Gain","severity":1,"metadata":{"updated_at":["2013_01_04"],"created_at":["2013_01_04"]}},"app_proto":"failed","flow":{"pkts_toserver":5,"pkts_toclient":0,"bytes_toserver":569,"bytes_toclient":0,"start":"2020-09-17T11:41:56.110888-0300"}}\n", :exception=>#<LogStash::Json::ParserError: Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
at [Source: (byte)"
Please can you help me ?