Suricata logs over Filebeat

nunex_17 · March 26, 2021, 7:50pm

Hi.

I am sending Suricata logs with filebeat to a ELK server. I have the eve.json configured to rotate every day at midnight.

Logs are being sent to elastic and I can see them in the dashboards and discover tabs. But in fact, it not shows the current logs. I have to select the 24h period and then the logs are shown with the correct timestamp (but from hours ago). For example, now are being shown logs from today at midnight. At the time of this post, it´s currently 7pm. So there's like a 20h hour difference.

How can I solve this issue?

legoguy1000 · March 28, 2021, 4:56pm

I would check the timestamps of the raw log files, the time & time zone of both the system running suricata and your workstation. The most common cause of time issues that I've had is timezones not being correct.

system · April 25, 2021, 6:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat doesn't catchup with suricata eve.json Beats filebeat	7	1885	September 9, 2021
Suricata -> Filebeat -> Elasticsearch Elasticsearch	1	450	April 28, 2021
Wrong timestamp suricata module Kibana	4	517	November 1, 2020
1 Hour Difference on showing Logs in ELK/Kibana Elasticsearch	12	2360	May 4, 2021
Using the Filebeat Suricata Module for EVE-Logs in Syslog messages Beats beats-module , filebeat	1	941	October 7, 2020

Suricata logs over Filebeat

Related topics