Suricata timestamp problem

Slydder · August 2, 2016, 4:30pm

Hey all,

I am sendling suricata json to logstash and logstash is having problems with the timestamp format:

{:timestamp=>"2016-08-02T18:28:37.516000+0200", :message=>"Failed parsing date from field", :field=>"timestamp", :value=>"2016-08-02T18:28:36.001531+0200", :exception=>"Invalid format: "2016-08-02T18:28:36.001531+0200" is malformed at "-08-02T18:28:36.001531+0200"", :config_parsers=>"YYYY MMM dd HH:mm:ss", :config_locale=>"default=en_US", :level=>:warn}

my logstash config for suricata is as follows (just added the timezone option as a last ditch effort which didn't work):

input {
file {
path => ["/var/log/suricata/eve.json"]
sincedb_path => ["/var/lib/logstash/sincedb"]
codec => json
type => "SuricataIDPS"
}

}

filter {
if [type] == "SuricataIDPS" {
date {
match => [ "timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSS" ]
timezone => "Europe/Berlin"
}
ruby {
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
}
}

if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
#database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
if ![geoip.ip] {
if [dest_ip] {
geoip {
source => "dest_ip"
target => "geoip"
#database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
#protocol => http
}
}

Thanks for the help,
Chuck

warkolm · August 3, 2016, 6:11am

Does not match;

You may want to add more S.

Slydder · August 3, 2016, 7:34am

Sorry,

forgot to mention I also tried the following

yyyy-MM-dd'T'HH:mm:ss.SSSSSS
yyyy-MM-dd'T'HH:mm:ss.SSSZ
yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ

All to no avail. but what I am wondering about mostly is the:

config_parsers=>"YYYY MMM dd HH:mm:ss"

entry in the logstash log. This entry looks NOTHING like what I am trying to match with and am not sure why it is even listed.

Slydder · August 3, 2016, 9:44am

So,

After testing everything by starting logstash with only the suricata config and accepting input from stdin then piping the contents of the json log into logstash I can verify that the suricata config is correct using the match

  match => [ "timestamp", "YYYY-MM-dd'T'HH:mm:ss.SSSSSSZ" ]

There is a problem when starting with the normal config and including the suricata config where logstash tries to match against another pattern instead of the pattern in the suricata config even though the type is set to suricata when reading in the json logs.

Topic		Replies	Views
Logstash parses log fine, elasticsearch throws date error? Logstash	2	536	December 17, 2016
Logstash timestamp format Logstash	4	131	May 23, 2024
Logstash Does not extract timestamp from JSON Logstash	6	4948	July 6, 2017
Date Parser error Logstash	4	2005	July 6, 2017
Logstash/elasticsearch failed to parse date field tried both date format [dateOptionalTime], and timestamp number with locale Logstash	10	8528	July 6, 2017

Suricata timestamp problem

Related topics