Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sensor name does not show up when Filebeat is used to process events. #100

Closed
kamandohl opened this issue Jan 25, 2019 · 12 comments
Closed

Sensor name does not show up when Filebeat is used to process events. #100

kamandohl opened this issue Jan 25, 2019 · 12 comments
Labels
filebeat

Comments

@kamandohl
Copy link

I have scored the closed and open issues without any luck. Releated to Issue #76 , but I am not using SELKS. My set-up

Suricata 4.1 --> Filebeat (not the module) reading from eve.json --> Kafka (no transforms) --> Logstash ( adding GeoIP ) --> ES 6.4 <-- Evebox version 0.10.1

Events are showing up in the "Events" Tab. The GeoIP even shows. I have loaded the latest ET ruleset and pointing to it in the yaml to the correct path. /etc/evebox/rules/*.rules Permissions are for evebox:evebox

The rules do not show up in the Alert.
The Sensor Field all say [object Object]

Here is my config yaml Pastebin

Thanks in Advanced.
@jasonish
Copy link
Owner

Your index is listed as custom. Can you tell me how it differs from a default Logstash template? It could be breaking the aggregations needed for the Inbox/Alert views.

Also, what is adding the "host" field? When Suricata adds it, its a simple string. Can you provide the JSON from an alert?

@kamandohl
Copy link
Author

Here is the JSON from an Alert within Elasticsearch.

I will verify the template.

@jasonish
Copy link
Owner

That pastebin is private. If you can, share it to "jasonish" on pastebin.

@kamandohl
Copy link
Author

I made it public. I did not see a way to share to a person. Thanks

@jasonish
Copy link
Owner

Looks like Logstash or Filebeat is adding "host" as an object which is different than if Suricata added it, in which case it would simply be a string. I'll have to figure out exactly whats adding it.

But this shouldn't affect the inbox/alert view. That is probably more due to a template issue. You should be able to extract it like:

curl http://hostname:9200/nsm-2019.01.28/_mapping

If you haven't, you may want to try the latest development version as well.

@kamandohl
Copy link
Author

Here is the mapping. Sorry about the format, I tried to make it "pretty" but for whatever reason, could not.

Mapping

@elhijo
Copy link

elhijo commented Feb 9, 2019

Hi,
any updates about the [object Object] issue ?
Not a very big deal but it would be nice to have the right value here.
Thanks

@kamandohl
Copy link
Author

Nothing yet, I have had to back burner this to get some other things online. Still my top priority.

@jasonish
Copy link
Owner

Not a very big deal but it would be nice to have the right value here.

Are you using Filebeat and Logstash as well?

What I'll probably end up doing is adding a check in the UI to see if hostname is a string or an object and displaying it properly. Unfortunately if you ever want to search by hostname, you'll have to enter the correct search key yourself.

@jasonish
Copy link
Owner

So it looks like filebeat overwrites the "host" string field added by Suricata with its own "host" object. Will fix in the UI.

@elhijo
Copy link

elhijo commented Feb 12, 2019

Yes Filebeat AND logstash.

Will fix in the UI.

Great, thanks !

@jasonish jasonish changed the title Configuration Issues Sensor name does not show up when Filebeat is used to process events. Feb 12, 2019
jasonish added a commit that referenced this issue Feb 12, 2019
@jasonish
event: if host is an object, use host.name
2bdc614 
Suricata will create events with the "host" field being a string
of the sensor name. Filebeat will override this with a "host"
object where "host.name" is the hostname of the machine
generating the alert. If this appears to be the case, use host.name
as the sensor name.

Github issue:
#100
@jasonish
Copy link
Owner

This is now fixed in the latest development builds. You will lose the "host" field as added by Suricata as Filebeat is overwriting it.

@kamandohl I updated this issue to only cover the sensor name issue. If you had other issues, please create a new issue.

@jasonish jasonish added this to the 0.11 milestone Nov 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
filebeat
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jasonish @kamandohl @elhijo