Suricata dashboard on 5.0 - Ruby issue

Hi All,

On the new version of Logstash the ruby field references have changed.

As such the ruby code in the Logstash config here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_Logstash_Kibana_and_Suricata_JSON_output

No longer works with the latest version.

The code is:
"if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"

Which i modified to be:
"if event.get('event_type') == 'fileinfo'; event.set('fileinfo''type')=event.get('fileinfo''magic').to_s.split(',')[0]; end;"

Which causes Logstash to go into a reboot loop.

Having not touched ruby at all ever, can anyone see what I'm doing wrong here?

You're using the wrong syntax to reference nested fields. See https://www.elastic.co/guide/en/logstash/current/event-api.html for details and examples.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.