I am still fighting with this but have an update.
Timestamp Resolution (sort of):
I switched from having filebeat send the data straight to elasticsearch and instead started sending it to logstash. This action helped resolve the timestamp problem and I can now select it though I still don't understand why I couldn't do that when sending the data JSON -> Filebeat -> Elasticsearch
.
However, geo / geo point / geoip is still not working and I'm fighting with how to get it functioning properly.
- The JSON formatted file is read, the events do get into ELK
- When I turn on debugging in filebeat I get the following log entries prior to each record push:
2019-09-18T18:58:50.181-0700 DEBUG [processors] processing/processors.go:108 Fail to apply processor client{drop_fields=json.actions, rename=[{From:json To:zeek.notice} {From:zeek.notice.src To:source.address} {From:zeek.notice.dst To:destination.address} {From:zeek.notice.uid To:zeek.session_id} {From:zeek.notice.p To:destination.port} {From:zeek.notice.conn To:zeek.notice.connnection_id} {From:zeek.notice.iconn To:zeek.notice.icmp_id} {From:zeek.notice.id.orig_h To:source.address} {From:zeek.notice.id.orig_p To:source.port} {From:zeek.notice.id.resp_h To:destination.address} {From:zeek.notice.id.resp_p To:destination.port} {From:zeek.notice.proto To:network.transport} {From:zeek.notice.id.orig_p To:source.port} {From:zeek.notice.f.id To:zeek.notice.file.id} {From:zeek.notice.f.parent_id To:dzeek.notice.file.parent_id} {From:zeek.notice.f.source To:zeek.notice.file.source} {From:zeek.notice.f.is_orig To:zeek.notice.file.is_orig} {From:zeek.notice.f.seen_bytes To:zeek.notice.file.seen_bytes} {From:zeek.notice.f.total_bytes To:zeek.notice.file.total_bytes} {From:zzeek.notice.file_mime_type To:zeek.notice.file.mime_type}], drop_fields=zeek.notice.remote_location, zeek.notice.f, community_id=[target=network.community_id, fields=[source_ip=source.address, source_port=source.port, destination_ip=destination.address, destination_port=destination.port, transport_protocol=network.transport, icmp_type=icmp.type, icmp_code=icmp.code], seed=0]}: key not found
2019-09-18T18:58:50.181-0700 DEBUG [rename] actions/rename.go:81 Failed to rename fields in processor: target field source.port already exists, drop or rename this field first
2019-09-18T18:58:50.181-0700 DEBUG [processors] processing/processors.go:108 Fail to apply processor client{drop_fields=json.actions, rename=[{From:json To:zeek.notice} {From:zeek.notice.src To:source.address} {From:zeek.notice.dst To:destination.address} {From:zeek.notice.uid To:zeek.session_id} {From:zeek.notice.p To:destination.port} {From:zeek.notice.conn To:zeek.notice.connnection_id} {From:zeek.notice.iconn To:zeek.notice.icmp_id} {From:zeek.notice.id.orig_h To:source.address} {From:zeek.notice.id.orig_p To:source.port} {From:zeek.notice.id.resp_h To:destination.address} {From:zeek.notice.id.resp_p To:destination.port} {From:zeek.notice.proto To:network.transport} {From:zeek.notice.id.orig_p To:source.port} {From:zeek.notice.f.id To:zeek.notice.file.id} {From:zeek.notice.f.parent_id To:dzeek.notice.file.parent_id} {From:zeek.notice.f.source To:zeek.notice.file.source} {From:zeek.notice.f.is_orig To:zeek.notice.file.is_orig} {From:zeek.notice.f.seen_bytes To:zeek.notice.file.seen_bytes} {From:zeek.notice.f.total_bytes To:zeek.notice.file.total_bytes} {From:zzeek.notice.file_mime_type To:zeek.notice.file.mime_type}], drop_fields=zeek.notice.remote_location, zeek.notice.f, community_id=[target=network.community_id, fields=[source_ip=source.address, source_port=source.port, destination_ip=destination.address, destination_port=destination.port, transport_protocol=network.transport, icmp_type=icmp.type, icmp_code=icmp.code], seed=0]}: key not found, key not found
- Again I'm definitely new to this, but it looks like it might be having a problem with renaming fields? I see entries for geoip in the
pipeline.json
file for the zeek module in filebeat.
"set": {
"field": "source.ip",
"value": "{{source.address}}"
}
},
{
"set": {
"field": "destination.ip",
"value": "{{destination.address}}"
}
},
...
{
"geoip": {
"field": "destination.ip",
"target_field": "destination.geo"
}
},
{
"geoip": {
"field": "source.ip",
"target_field": "source.geo"
}
}
Am I correct that this is preventing geo from functioning? Can anyone help point me in the right direction as to why it isn't finding whatever key it is referring to?
Thanks!