[threatintel Filebeat module] MISP configuration errors with filebeat threatintel module

Hello All,

A question about the Filebeat module " threatintel ". On the MISP configuration . Using Filebeat 7.13.2.The below are the settings that I have tested but shows with errors in the filebeat logs. The config is from the Elastic Filebeat docs.

Config:

  misp:
    enabled: true
    var.url: https://<MISP-SERVER>/events/restSearch
    var.api_token: <API-KEY>
    var.first_interval: 24h
    var.interval: 10m

Shows the below error:

ERROR [input.httpjson-cursor] v2/input.go:129 Error while processing http request: failed to execute http client.Do: failed to execute http client.Do: Post "https://<MISP-SERVER>/events/restSearch": POST https://<MISP-SERVER>/events/restSearch giving up after 6 attempts {"input_source": "https://<MISP-SERVER>/events/restSearch", "input_url": "https://<MISP-SERVER>/events/restSearch"}

Am I missing something here? Am able to perform calls using postman when testing. everything seems to be talking to each other but it seems to not make it that last step from Filebeat.

Thank you very much in advance!

Can u curl misp from the same system that filebeat is running on?

Hey @legoguy1000,

I am able to curl to MISP from the machine Filebeat is running from.

However, when using the "/events/restSearch" after the MISP address I keep getting back error 500's. Where I am able to get Status codes 200 when sending a GET request to just the MISP server URL and other requests.

I have also tried both in the Filebeat module config and with Curl requests the use of "/attributes/restSearch/last:1d". From the curl request I am able to get the intended response body. But in the Filebeat output in the Filebeat logs I am getting the below:

ERROR   [input.httpjson-cursor] v2/request.go:186       error processing response: split was expecting field to be an array  {"input_source": "https://<MISP-SERVER>/attributes/restSearch/last:1d", "input_url": "https://<MISP-SERVER>/attributes/restSearch/last:1d"}

Thank you for your help!

I'd check your MISP logs.