[threatintel Filebeat module] MISP configuration errors with filebeat threatintel module

Balor · June 30, 2021, 10:36am

Hello All,

A question about the Filebeat module " threatintel ". On the MISP configuration . Using Filebeat 7.13.2.The below are the settings that I have tested but shows with errors in the filebeat logs. The config is from the Elastic Filebeat docs.

Config:

  misp:
    enabled: true
    var.url: https://<MISP-SERVER>/events/restSearch
    var.api_token: <API-KEY>
    var.first_interval: 24h
    var.interval: 10m

Shows the below error:

ERROR [input.httpjson-cursor] v2/input.go:129 Error while processing http request: failed to execute http client.Do: failed to execute http client.Do: Post "https://<MISP-SERVER>/events/restSearch": POST https://<MISP-SERVER>/events/restSearch giving up after 6 attempts {"input_source": "https://<MISP-SERVER>/events/restSearch", "input_url": "https://<MISP-SERVER>/events/restSearch"}

Am I missing something here? Am able to perform calls using postman when testing. everything seems to be talking to each other but it seems to not make it that last step from Filebeat.

Thank you very much in advance!

legoguy1000 · June 30, 2021, 10:57am

Can u curl misp from the same system that filebeat is running on?

Balor · June 30, 2021, 12:15pm

Hey @legoguy1000,

I am able to curl to MISP from the machine Filebeat is running from.

However, when using the "/events/restSearch" after the MISP address I keep getting back error 500's. Where I am able to get Status codes 200 when sending a GET request to just the MISP server URL and other requests.

I have also tried both in the Filebeat module config and with Curl requests the use of "/attributes/restSearch/last:1d". From the curl request I am able to get the intended response body. But in the Filebeat output in the Filebeat logs I am getting the below:

ERROR   [input.httpjson-cursor] v2/request.go:186       error processing response: split was expecting field to be an array  {"input_source": "https://<MISP-SERVER>/attributes/restSearch/last:1d", "input_url": "https://<MISP-SERVER>/attributes/restSearch/last:1d"}

Thank you for your help!

legoguy1000 · June 30, 2021, 12:35pm

I'd check your MISP logs.

Topic		Replies	Views
MISP Configuration issue in Filebeat module Elasticsearch	2	552	January 12, 2022
Integration Misp using Filebeat Beats filebeat	5	554	June 17, 2022
Msip threat intel import not working Elastic Security	3	431	October 3, 2021
Threat intel Filebeat module - I don't get any data From MISP and i don't know why Beats beats-module , filebeat	1	542	April 15, 2023
Threat Intel MISP Beats filebeat	4	308	September 16, 2022

[threatintel Filebeat module] MISP configuration errors with filebeat threatintel module

Related topics