Suricata integration parsing issues

I'm running 7.14.1 with an Elastic agent trying to pick up eve.json files using the suricata integration. Somewhere along the line it is not able to correctly parse the events.

Here is the error I'm getting :

{\"type\":\"illegal_argument_exception\",\"reason\":\"failed to parse date field [2020_09_17] with format [strict_date_optional_time||epoch_millis]\",\"caused_by\":{\"type\":\"date_time_parse_exception\",\"reason\":\"Failed to parse with all enclosed parsers\"}}}",

Here is an example event :

{
  "timestamp": "2021-09-21T18:01:02.246905+0000",
  "flow_id": 1540764184003705,
  "in_iface": "bond0",
  "event_type": "alert",
  "src_ip": "10.0.0.19",
  "src_port": 50396,
  "dest_ip": "192.168.160.110",
  "dest_port": 1433,
  "proto": "TCP",
  "community_id": "1:thlTObB11NQtZZ0GY++UkQJ6hSs=",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2010935,
    "rev": 3,
    "signature": "ET SCAN Suspicious inbound to MSSQL port 1433",
    "category": "Potentially Bad Traffic",
    "severity": 2,
    "metadata": {
      "created_at": [
        "2010_07_30"
      ],
      "former_category": [
        "HUNTING"
      ],
      "updated_at": [
        "2018_03_27"
      ]
    },
    "rule": "alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg:\"ET SCAN Suspicious inbound to MSSQL port 1433\"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010935; classtype:bad-unknown; sid:2010935; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)"
  },
  "payload_printable": "",
  "stream": 0,
  "packet": "iBVEOAABNFb+d/2MCABFAAA0LdlAAH8GYsEKAAATwKigbsTcBZkU/B1TAAAAAIACIADnIQAAAgQFtAEDAwgBAQQC",
  "packet_info": {
    "linktype": 1
  }
}

any ideas?

What version of the Suricata integration? Looking at the ingest pipeline it should be working.

Just upgraded to v1.2.0 and getting a different error this time :

Field [suricata.eve.alert.metadata.created_at] of type [flattened] doesn't support formats.

can anyone from Elastic comment please? suricata eve json is pretty standard so I'm surprised we're having issues...

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.