I'm running 7.14.1 with an Elastic agent trying to pick up eve.json files using the suricata integration. Somewhere along the line it is not able to correctly parse the events.
Here is the error I'm getting :
{\"type\":\"illegal_argument_exception\",\"reason\":\"failed to parse date field [2020_09_17] with format [strict_date_optional_time||epoch_millis]\",\"caused_by\":{\"type\":\"date_time_parse_exception\",\"reason\":\"Failed to parse with all enclosed parsers\"}}}",
Here is an example event :
{
"timestamp": "2021-09-21T18:01:02.246905+0000",
"flow_id": 1540764184003705,
"in_iface": "bond0",
"event_type": "alert",
"src_ip": "10.0.0.19",
"src_port": 50396,
"dest_ip": "192.168.160.110",
"dest_port": 1433,
"proto": "TCP",
"community_id": "1:thlTObB11NQtZZ0GY++UkQJ6hSs=",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2010935,
"rev": 3,
"signature": "ET SCAN Suspicious inbound to MSSQL port 1433",
"category": "Potentially Bad Traffic",
"severity": 2,
"metadata": {
"created_at": [
"2010_07_30"
],
"former_category": [
"HUNTING"
],
"updated_at": [
"2018_03_27"
]
},
"rule": "alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg:\"ET SCAN Suspicious inbound to MSSQL port 1433\"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010935; classtype:bad-unknown; sid:2010935; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)"
},
"payload_printable": "",
"stream": 0,
"packet": "iBVEOAABNFb+d/2MCABFAAA0LdlAAH8GYsEKAAATwKigbsTcBZkU/B1TAAAAAIACIADnIQAAAgQFtAEDAwgBAQQC",
"packet_info": {
"linktype": 1
}
}
any ideas?