A question about the Filebeat module " threatintel ". On the MISP configuration . Using Filebeat 7.13.2.The below are the settings that I have tested but shows with errors in the filebeat logs. The config is from the Elastic Filebeat docs.
ERROR [input.httpjson-cursor] v2/input.go:129 Error while processing http request: failed to execute http client.Do: failed to execute http client.Do: Post "https://<MISP-SERVER>/events/restSearch": POST https://<MISP-SERVER>/events/restSearch giving up after 6 attempts {"input_source": "https://<MISP-SERVER>/events/restSearch", "input_url": "https://<MISP-SERVER>/events/restSearch"}
Am I missing something here? Am able to perform calls using postman when testing. everything seems to be talking to each other but it seems to not make it that last step from Filebeat.
I am able to curl to MISP from the machine Filebeat is running from.
However, when using the "/events/restSearch" after the MISP address I keep getting back error 500's. Where I am able to get Status codes 200 when sending a GET request to just the MISP server URL and other requests.
I have also tried both in the Filebeat module config and with Curl requests the use of "/attributes/restSearch/last:1d". From the curl request I am able to get the intended response body. But in the Filebeat output in the Filebeat logs I am getting the below:
ERROR [input.httpjson-cursor] v2/request.go:186 error processing response: split was expecting field to be an array {"input_source": "https://<MISP-SERVER>/attributes/restSearch/last:1d", "input_url": "https://<MISP-SERVER>/attributes/restSearch/last:1d"}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.