Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

can't archive/escalate events after upgrade to ES5 #48

Closed
inliniac opened this issue Apr 30, 2017 · 17 comments
Closed

can't archive/escalate events after upgrade to ES5 #48

inliniac opened this issue Apr 30, 2017 · 17 comments
Assignees
@jasonish
Labels
bug

Comments

@inliniac
Copy link

inliniac commented Apr 30, 2017
edited by jasonish
Loading

Just upgraded to ES5 from ES2. I can view and search events, but when I archive/escalate them it doesn't work. On archive they disappear from the view initially, but reappear after a refresh.

Console output looks a bit strange with the nil events:

2017-04-30 11:41:02 (evebox.go:112) <Info> -- No command provided, defaulting to server.
2017-04-30 11:41:02 (server.go:156) <Info> -- This is EveBox Server version 0.7.1dev (rev: f9cde6b)
2017-04-30 11:41:03 (geoip-service.go:44) <Warning> -- Failed to initialize geoip database: no database files found
2017-04-30 11:41:03 (configdb.go:52) <Info> -- Using in-memory configuration DB.
2017-04-30 11:41:03 (sqlmigrator.go:79) <Info> -- Updating database to version 0.
2017-04-30 11:41:03 (sqlmigrator.go:79) <Info> -- Updating database to version 1.
2017-04-30 11:41:03 (server.go:271) <Info> -- Configuring ElasticSearch datastore
2017-04-30 11:41:03 (server.go:273) <Info> -- Using ElasticSearch URL http://localhost:9200
2017-04-30 11:41:03 (server.go:275) <Info> -- Using ElasticSearch Index logstash.
2017-04-30 11:41:03 (elasticsearch.go:100) <Info> -- Event base index: logstash
2017-04-30 11:41:03 (elasticsearch.go:101) <Info> -- Event search index: logstash-*
2017-04-30 11:41:03 (elasticsearch.go:227) <Info> -- Elastic Search keyword initialized to "keyword"
2017-04-30 11:41:03 (server.go:294) <Info> -- Connected to Elastic Search (version: 5.3.2)
2017-04-30 11:41:03 (server.go:133) <Info> -- Session reaper started
2017-04-30 11:41:03 (server.go:167) <Info> -- Authentication disabled.
2017-04-30 11:41:03 (server.go:278) <Info> -- Listening on 0.0.0.0:5636
2017-04-30 11:41:16 (anonymous.go:64) <Info> -- Logging in anonymous user from 192.168.1.6:57812
2017-04-30 11:57:43 (eventservice.go:358) <Info> -- Updated <nil> events, failures = false
2017-04-30 11:57:43 (eventservice.go:358) <Info> -- Updated <nil> events, failures = false
2017-04-30 11:57:43 (eventservice.go:358) <Info> -- Updated <nil> events, failures = false
2017-04-30 11:57:43 (eventservice.go:358) <Info> -- Updated <nil> events, failures = false
2017-04-30 11:57:43 (eventservice.go:358) <Info> -- Updated <nil> events, failures = false
2017-04-30 11:57:44 (eventservice.go:358) <Info> -- Updated <nil> events, failures = false
@jasonish
Copy link
Owner

2 thoughts...

  1. Did you upgrade EveBox at the same time? Did you do a full page reload? I'm guess yes.

  2. It looks like you upgraded Logstash as well. My guess is that evebox is seeing the new template, but events being added for the current day are still using the old template. It will likely fix itself tomorrow. But I'm still not sure about this either, as that would probably make the inbox be empty.

You could try "--elasticsearch-keyword raw" to do ES2/Logstash2 style queries temporarily to see if thats really the issue.

I've also uploaded a new version where "-v" will log a portion of the elastic search response to an archive, to see why its getting nil.

@inliniac
Copy link
Author

New version -v output when pressing 'archive':

2017-04-30 22:55:35 (elasticsearch.go:110)  -- Decoding response (truncated at 1024 bytes): {"error":{"root_cause":[{"type":"script_exception","reason":"runtime error","script_stack":["if (!ctx._source.tags.contains(tag)) {\n\t\t\t            ","                     ^---- HERE"],"script":"\n\t\t\t    for (tag in params.tags) {\n\t\t\t        if (!ctx._source.tags.contains(tag)) {\n\t\t\t            ctx._source.tags.add(tag);\n\t\t\t        }\n\t\t\t    }\n\t\t\t","lang":"painless"}],"type":"script_exception","reason":"runtime error","script_stack":["if (!ctx._source.tags.contains(tag)) {\n\t\t\t            ","                     ^---- HERE"],"script":"\n\t\t\t    for (tag in params.tags) {\n\t\t\t        if (!ctx._source.tags.contains(tag)) {\n\t\t\t            ctx._source.tags.add(tag);\n\t\t\t        }\n\t\t\t    }\n\t\t\t","lang":"painless","caused_by":{"type":"null_pointer_exception","reason":null}},"status":500}
2017-04-30 22:55:35 (eventservice.go:363)  -- Updated  events, failures = false

@inliniac
Copy link
Author

"--elasticsearch-keyword raw" doesn't show anything in the inbox. I my upgrade I simply deleted /var/lib/elasticsearch and /var/lib/logstash, so I think I effectively started with a clean slate.

In case it's relevant, I'm seeing this: 2017-04-30 22:57:17 (elasticsearch.go:181) -- Found template version 50001

@jasonish
Copy link
Owner

Thanks. The update_by_query I use with ES5 doesn't deal with the case where there is not an existing tag object. With Logstash/ES2 it looks like I could assume it was always there. Not so with version 5 of the stack.

Fix has been pushed to master, but will take a bit to show up for download.

@inliniac
Copy link
Author

inliniac commented May 1, 2017

Looks like that did it:

2017-05-01 08:40:27 (evebox.go:112)  -- No command provided, defaulting to server.
2017-05-01 08:40:27 (server.go:156)  -- This is EveBox Server version 0.7.1dev (rev: 99169db)
2017-05-01 08:40:27 (geoip-service.go:44)  -- Failed to initialize geoip database: no database files found
2017-05-01 08:40:27 (configdb.go:52)  -- Using in-memory configuration DB.
2017-05-01 08:40:27 (sqlmigrator.go:79)  -- Updating database to version 0.
2017-05-01 08:40:27 (sqlmigrator.go:79)  -- Updating database to version 1.
2017-05-01 08:40:27 (server.go:271)  -- Configuring ElasticSearch datastore
2017-05-01 08:40:27 (server.go:273)  -- Using ElasticSearch URL http://localhost:9200
2017-05-01 08:40:27 (server.go:275)  -- Using ElasticSearch Index logstash.
2017-05-01 08:40:27 (elasticsearch.go:100)  -- Event base index: logstash
2017-05-01 08:40:27 (elasticsearch.go:101)  -- Event search index: logstash-*
2017-05-01 08:40:27 (elasticsearch.go:227)  -- Elastic Search keyword initialized to "keyword"
2017-05-01 08:40:27 (server.go:294)  -- Connected to Elastic Search (version: 5.3.2)
2017-05-01 08:40:27 (server.go:133)  -- Session reaper started
2017-05-01 08:40:27 (server.go:167)  -- Authentication disabled.
2017-05-01 08:40:27 (server.go:278)  -- Listening on 0.0.0.0:5636
2017-05-01 08:40:39 (anonymous.go:64)  -- Logging in anonymous user from 192.168.1.6:37314
2017-05-01 08:40:48 (eventservice.go:366)  -- Updated 1 events, failures = false
2017-05-01 08:41:21 (eventservice.go:366)  -- Updated 8 events, failures = false
2017-05-01 08:41:21 (eventservice.go:366)  -- Updated 11 events, failures = false
2017-05-01 08:41:22 (eventservice.go:366)  -- Updated 8 events, failures = false
2017-05-01 08:41:27 (eventservice.go:366)  -- Updated 6 events, failures = false
2017-05-01 08:41:27 (eventservice.go:366)  -- Updated 7 events, failures = false
2017-05-01 08:41:27 (eventservice.go:366)  -- Updated 5 events, failures = false
2017-05-01 08:41:28 (eventservice.go:366)  -- Updated 4 events, failures = false
2017-05-01 08:41:28 (eventservice.go:366)  -- Updated 8 events, failures = false
2017-05-01 08:41:28 (eventservice.go:366)  -- Updated 5 events, failures = false
2017-05-01 08:41:29 (eventservice.go:366)  -- Updated 1606 events, failures = false

Thanks Jason!

@inliniac inliniac closed this as completed May 1, 2017
@inliniac
Copy link
Author

inliniac commented May 2, 2017

It seems I still can't archive some older events. When I click archive on an event dated 30/4/2017 I get:

2017-05-02 11:39:53 (elasticsearch.go:110)  -- Decoding response (truncated at 1024 bytes): {"took":2248,"timed_out":false,"total":0,"updated":0,"deleted":0,"batches":0,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1.0,"throttled_until_millis":0,"failures":[]}
2017-05-02 11:39:53 (eventservice.go:366)  -- Updated 0 events, failures = false
2017-05-02 11:40:06 (server.go:129)  -- Reaping sessions.

These may be events from right after the move to ES5, so perhaps they are somehow different.

@jasonish
Copy link
Owner

jasonish commented May 3, 2017

I wonder if there was a time window when events were being added, but there was no template installed (Logstash does that), or it had the non-ES5 template installed.

Debugging is a bit of pain...

curl http://10.16.1.10:9200/logstash-2017.05.03/_mapping/log|jq .

Change the date to the index of the event that won't delete (visible in the evebox json).

I guess that would be more curiosity. If it is wrong, I'm not sure how to actually fix it. I'd just delete the offending index.

@inliniac
Copy link
Author

inliniac commented May 3, 2017

I deleted the old index (using curator, just deleting everything older than 2 days), but even with more recent events this sometimes happens. Not for all events though, so I'm not sure what could be the issue.

curl http://127.0.0.1:9200/logstash-2017.05.03/_mapping/log
{}

@jasonish
Copy link
Owner

jasonish commented May 3, 2017

Thats a real problem if the mapping is just {}. Try

curl http://127.0.0.1:9200/logstash-2017.05.03/_mapping

to not limit it to a type.

@inliniac
Copy link
Author

inliniac commented May 3, 2017

{"logstash-2017.05.03":{"mappings":{"suricata":{"_all":{"enabled":true,"norms":false},"dynamic_templates":[{"message_field":{"path_match":"message","match_mapping_type":"string","mapping":{"norms":false,"type":"text"}}},{"string_fields":{"match":"*","match_mapping_type":"string","mapping":{"fields":{"keyword":{"type":"keyword"}},"norms":false,"type":"text"}}}],"properties":{"@timestamp":{"type":"date","include_in_all":false},"@version":{"type":"keyword","include_in_all":false},"alert":{"properties":{"action":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"category":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"gid":{"type":"long"},"rev":{"type":"long"},"severity":{"type":"long"},"signature":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"signature_id":{"type":"long"}}},"app_proto":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"app_proto_tc":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"dest_ip":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"dest_port":{"type":"long"},"dns":{"properties":{"id":{"type":"long"},"rcode":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"rdata":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"rrname":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"rrtype":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"ttl":{"type":"long"},"tx_id":{"type":"long"},"type":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}},"drop":{"properties":{"ack":{"type":"boolean"},"fin":{"type":"boolean"},"ipid":{"type":"long"},"len":{"type":"long"},"psh":{"type":"boolean"},"rst":{"type":"boolean"},"syn":{"type":"boolean"},"tcpack":{"type":"long"},"tcpres":{"type":"long"},"tcpseq":{"type":"long"},"tcpurgp":{"type":"long"},"tcpwin":{"type":"long"},"tos":{"type":"long"},"ttl":{"type":"long"},"urg":{"type":"boolean"}}},"event_type":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"file":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"fileinfo":{"properties":{"filename":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"size":{"type":"long"},"state":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"stored":{"type":"boolean"},"tx_id":{"type":"long"}}},"flow":{"properties":{"age":{"type":"long"},"alerted":{"type":"boolean"},"bytes_toclient":{"type":"long"},"bytes_toserver":{"type":"long"},"end":{"type":"date"},"pkts_toclient":{"type":"long"},"pkts_toserver":{"type":"long"},"reason":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"start":{"type":"date"},"state":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}},"flow_id":{"type":"long"},"geoip":{"dynamic":"true","properties":{"ip":{"type":"ip"},"latitude":{"type":"half_float"},"location":{"type":"geo_point"},"longitude":{"type":"half_float"}}},"host":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"http":{"properties":{"hostname":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"http_content_type":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"http_method":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"http_refer":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"http_user_agent":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"length":{"type":"long"},"protocol":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"redirect":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"status":{"type":"long"},"url":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}},"netflow":{"properties":{"age":{"type":"long"},"bytes":{"type":"long"},"end":{"type":"date"},"pkts":{"type":"long"},"start":{"type":"date"}}},"offset":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"packet":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"packet_info":{"properties":{"linktype":{"type":"long"}}},"payload":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"payload_printable":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"proto":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"src_ip":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"src_port":{"type":"long"},"ssh":{"properties":{"client":{"properties":{"proto_version":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"software_version":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}},"server":{"properties":{"proto_version":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"software_version":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}}}},"stats":{"properties":{"app_layer":{"properties":{"flow":{"properties":{"dcerpc_tcp":{"type":"long"},"dcerpc_udp":{"type":"long"},"dnp3":{"type":"long"},"dns_tcp":{"type":"long"},"dns_udp":{"type":"long"},"failed_tcp":{"type":"long"},"failed_udp":{"type":"long"},"ftp":{"type":"long"},"http":{"type":"long"},"imap":{"type":"long"},"msn":{"type":"long"},"smb":{"type":"long"},"smtp":{"type":"long"},"ssh":{"type":"long"},"tls":{"type":"long"}}},"tx":{"properties":{"dcerpc_tcp":{"type":"long"},"dns_tcp":{"type":"long"},"dns_udp":{"type":"long"},"ftp":{"type":"long"},"http":{"type":"long"},"smb":{"type":"long"},"smtp":{"type":"long"},"ssh":{"type":"long"},"tls":{"type":"long"}}}}},"decoder":{"properties":{"avg_pkt_size":{"type":"long"},"bytes":{"type":"long"},"dce":{"properties":{"pkt_too_small":{"type":"long"}}},"erspan":{"type":"long"},"ethernet":{"type":"long"},"gre":{"type":"long"},"icmpv4":{"type":"long"},"icmpv6":{"type":"long"},"invalid":{"type":"long"},"ipraw":{"properties":{"invalid_ip_version":{"type":"long"}}},"ipv4":{"type":"long"},"ipv4_in_ipv6":{"type":"long"},"ipv6":{"type":"long"},"ipv6_in_ipv6":{"type":"long"},"ltnull":{"properties":{"pkt_too_small":{"type":"long"},"unsupported_type":{"type":"long"}}},"max_pkt_size":{"type":"long"},"mpls":{"type":"long"},"null":{"type":"long"},"pkts":{"type":"long"},"ppp":{"type":"long"},"pppoe":{"type":"long"},"raw":{"type":"long"},"sctp":{"type":"long"},"sll":{"type":"long"},"tcp":{"type":"long"},"teredo":{"type":"long"},"udp":{"type":"long"},"vlan":{"type":"long"},"vlan_qinq":{"type":"long"}}},"defrag":{"properties":{"ipv4":{"properties":{"fragments":{"type":"long"},"reassembled":{"type":"long"},"timeouts":{"type":"long"}}},"ipv6":{"properties":{"fragments":{"type":"long"},"reassembled":{"type":"long"},"timeouts":{"type":"long"}}},"max_frag_hits":{"type":"long"}}},"detect":{"properties":{"alert":{"type":"long"}}},"dns":{"properties":{"memcap_global":{"type":"long"},"memcap_state":{"type":"long"},"memuse":{"type":"long"}}},"flow":{"properties":{"emerg_mode_entered":{"type":"long"},"emerg_mode_over":{"type":"long"},"memcap":{"type":"long"},"memuse":{"type":"long"},"spare":{"type":"long"},"tcp_reuse":{"type":"long"}}},"flow_mgr":{"properties":{"bypassed_pruned":{"type":"long"},"closed_pruned":{"type":"long"},"est_pruned":{"type":"long"},"flows_checked":{"type":"long"},"flows_notimeout":{"type":"long"},"flows_removed":{"type":"long"},"flows_timeout":{"type":"long"},"flows_timeout_inuse":{"type":"long"},"new_pruned":{"type":"long"},"rows_busy":{"type":"long"},"rows_checked":{"type":"long"},"rows_empty":{"type":"long"},"rows_maxlen":{"type":"long"},"rows_skipped":{"type":"long"}}},"http":{"properties":{"memcap":{"type":"long"},"memuse":{"type":"long"}}},"ips":{"properties":{"accepted":{"type":"long"},"blocked":{"type":"long"},"rejected":{"type":"long"},"replaced":{"type":"long"}}},"tcp":{"properties":{"insert_data_normal_fail":{"type":"long"},"insert_data_overlap_fail":{"type":"long"},"insert_list_fail":{"type":"long"},"invalid_checksum":{"type":"long"},"memuse":{"type":"long"},"no_flow":{"type":"long"},"overlap":{"type":"long"},"overlap_diff_data":{"type":"long"},"pseudo":{"type":"long"},"pseudo_failed":{"type":"long"},"reassembly_gap":{"type":"long"},"reassembly_memuse":{"type":"long"},"rst":{"type":"long"},"segment_memcap_drop":{"type":"long"},"sessions":{"type":"long"},"ssn_memcap_drop":{"type":"long"},"stream_depth_reached":{"type":"long"},"syn":{"type":"long"},"synack":{"type":"long"}}},"uptime":{"type":"long"}}},"stream":{"type":"long"},"tags":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"tcp":{"properties":{"ack":{"type":"boolean"},"cwr":{"type":"boolean"},"ecn":{"type":"boolean"},"fin":{"type":"boolean"},"psh":{"type":"boolean"},"rst":{"type":"boolean"},"state":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"syn":{"type":"boolean"},"tcp_flags":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"tcp_flags_tc":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"tcp_flags_ts":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}},"timestamp":{"type":"date"},"tls":{"properties":{"fingerprint":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"issuerdn":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"notafter":{"type":"date"},"notbefore":{"type":"date"},"serial":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"session_resumed":{"type":"boolean"},"sni":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"subject":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"version":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}},"tx_id":{"type":"long"},"type":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}},"_default_":{"_all":{"enabled":true,"norms":false},"dynamic_templates":[{"message_field":{"path_match":"message","match_mapping_type":"string","mapping":{"norms":false,"type":"text"}}},{"string_fields":{"match":"*","match_mapping_type":"string","mapping":{"fields":{"keyword":{"type":"keyword"}},"norms":false,"type":"text"}}}],"properties":{"@timestamp":{"type":"date","include_in_all":false},"@version":{"type":"keyword","include_in_all":false},"geoip":{"dynamic":"true","properties":{"ip":{"type":"ip"},"latitude":{"type":"half_float"},"location":{"type":"geo_point"},"longitude":{"type":"half_float"}}}}},"suricata-ids":{"_all":{"enabled":true,"norms":false},"dynamic_templates":[{"message_field":{"path_match":"message","match_mapping_type":"string","mapping":{"norms":false,"type":"text"}}},{"string_fields":{"match":"*","match_mapping_type":"string","mapping":{"fields":{"keyword":{"type":"keyword"}},"norms":false,"type":"text"}}}],"properties":{"@timestamp":{"type":"date","include_in_all":false},"@version":{"type":"keyword","include_in_all":false},"alert":{"properties":{"action":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"category":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"gid":{"type":"long"},"rev":{"type":"long"},"severity":{"type":"long"},"signature":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"signature_id":{"type":"long"}}},"app_proto":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"app_proto_tc":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"dest_ip":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"dest_port":{"type":"long"},"dns":{"properties":{"id":{"type":"long"},"rcode":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"rdata":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"rrname":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"rrtype":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"ttl":{"type":"long"},"tx_id":{"type":"long"},"type":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}},"event_type":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"file":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"fileinfo":{"properties":{"filename":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"size":{"type":"long"},"state":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"stored":{"type":"boolean"},"tx_id":{"type":"long"}}},"flow":{"properties":{"age":{"type":"long"},"alerted":{"type":"boolean"},"bypass":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"bytes_toclient":{"type":"long"},"bytes_toserver":{"type":"long"},"end":{"type":"date"},"pkts_toclient":{"type":"long"},"pkts_toserver":{"type":"long"},"reason":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"start":{"type":"date"},"state":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}},"flow_id":{"type":"long"},"geoip":{"dynamic":"true","properties":{"ip":{"type":"ip"},"latitude":{"type":"half_float"},"location":{"type":"geo_point"},"longitude":{"type":"half_float"}}},"host":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"http":{"properties":{"hostname":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"http_content_type":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"http_method":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"http_refer":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"http_user_agent":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"length":{"type":"long"},"protocol":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"redirect":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"status":{"type":"long"},"url":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}},"icmp_code":{"type":"long"},"icmp_type":{"type":"long"},"in_iface":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"netflow":{"properties":{"age":{"type":"long"},"bytes":{"type":"long"},"end":{"type":"date"},"pkts":{"type":"long"},"start":{"type":"date"}}},"offset":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"packet":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"packet_info":{"properties":{"linktype":{"type":"long"}}},"payload":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"payload_printable":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"proto":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"src_ip":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"src_port":{"type":"long"},"ssh":{"properties":{"client":{"properties":{"proto_version":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"software_version":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}},"server":{"properties":{"proto_version":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"software_version":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}}}},"stats":{"properties":{"app_layer":{"properties":{"flow":{"properties":{"dcerpc_tcp":{"type":"long"},"dcerpc_udp":{"type":"long"},"dnp3":{"type":"long"},"dns_tcp":{"type":"long"},"dns_udp":{"type":"long"},"failed_tcp":{"type":"long"},"failed_udp":{"type":"long"},"ftp":{"type":"long"},"http":{"type":"long"},"imap":{"type":"long"},"msn":{"type":"long"},"smb":{"type":"long"},"smtp":{"type":"long"},"ssh":{"type":"long"},"tls":{"type":"long"}}},"tx":{"properties":{"dcerpc_tcp":{"type":"long"},"dns_tcp":{"type":"long"},"dns_udp":{"type":"long"},"ftp":{"type":"long"},"http":{"type":"long"},"smb":{"type":"long"},"smtp":{"type":"long"},"ssh":{"type":"long"},"tls":{"type":"long"}}}}},"capture":{"properties":{"kernel_drops":{"type":"long"},"kernel_packets":{"type":"long"}}},"decoder":{"properties":{"avg_pkt_size":{"type":"long"},"bytes":{"type":"long"},"dce":{"properties":{"pkt_too_small":{"type":"long"}}},"erspan":{"type":"long"},"ethernet":{"type":"long"},"gre":{"type":"long"},"icmpv4":{"type":"long"},"icmpv6":{"type":"long"},"invalid":{"type":"long"},"ipraw":{"properties":{"invalid_ip_version":{"type":"long"}}},"ipv4":{"type":"long"},"ipv4_in_ipv6":{"type":"long"},"ipv6":{"type":"long"},"ipv6_in_ipv6":{"type":"long"},"ltnull":{"properties":{"pkt_too_small":{"type":"long"},"unsupported_type":{"type":"long"}}},"max_pkt_size":{"type":"long"},"mpls":{"type":"long"},"null":{"type":"long"},"pkts":{"type":"long"},"ppp":{"type":"long"},"pppoe":{"type":"long"},"raw":{"type":"long"},"sctp":{"type":"long"},"sll":{"type":"long"},"tcp":{"type":"long"},"teredo":{"type":"long"},"udp":{"type":"long"},"vlan":{"type":"long"},"vlan_qinq":{"type":"long"}}},"defrag":{"properties":{"ipv4":{"properties":{"fragments":{"type":"long"},"reassembled":{"type":"long"},"timeouts":{"type":"long"}}},"ipv6":{"properties":{"fragments":{"type":"long"},"reassembled":{"type":"long"},"timeouts":{"type":"long"}}},"max_frag_hits":{"type":"long"}}},"detect":{"properties":{"alert":{"type":"long"}}},"dns":{"properties":{"memcap_global":{"type":"long"},"memcap_state":{"type":"long"},"memuse":{"type":"long"}}},"flow":{"properties":{"emerg_mode_entered":{"type":"long"},"emerg_mode_over":{"type":"long"},"memcap":{"type":"long"},"memuse":{"type":"long"},"spare":{"type":"long"},"tcp_reuse":{"type":"long"}}},"flow_mgr":{"properties":{"bypassed_pruned":{"type":"long"},"closed_pruned":{"type":"long"},"est_pruned":{"type":"long"},"flows_checked":{"type":"long"},"flows_notimeout":{"type":"long"},"flows_removed":{"type":"long"},"flows_timeout":{"type":"long"},"flows_timeout_inuse":{"type":"long"},"new_pruned":{"type":"long"},"rows_busy":{"type":"long"},"rows_checked":{"type":"long"},"rows_empty":{"type":"long"},"rows_maxlen":{"type":"long"},"rows_skipped":{"type":"long"}}},"http":{"properties":{"memcap":{"type":"long"},"memuse":{"type":"long"}}},"tcp":{"properties":{"insert_data_normal_fail":{"type":"long"},"insert_data_overlap_fail":{"type":"long"},"insert_list_fail":{"type":"long"},"invalid_checksum":{"type":"long"},"memuse":{"type":"long"},"no_flow":{"type":"long"},"overlap":{"type":"long"},"overlap_diff_data":{"type":"long"},"pseudo":{"type":"long"},"pseudo_failed":{"type":"long"},"reassembly_gap":{"type":"long"},"reassembly_memuse":{"type":"long"},"rst":{"type":"long"},"segment_memcap_drop":{"type":"long"},"sessions":{"type":"long"},"ssn_memcap_drop":{"type":"long"},"stream_depth_reached":{"type":"long"},"syn":{"type":"long"},"synack":{"type":"long"}}},"uptime":{"type":"long"}}},"stream":{"type":"long"},"tags":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"tcp":{"properties":{"ack":{"type":"boolean"},"cwr":{"type":"boolean"},"ecn":{"type":"boolean"},"fin":{"type":"boolean"},"psh":{"type":"boolean"},"rst":{"type":"boolean"},"state":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"syn":{"type":"boolean"},"tcp_flags":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"tcp_flags_tc":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"tcp_flags_ts":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}},"timestamp":{"type":"date"},"tls":{"properties":{"fingerprint":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"issuerdn":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"notafter":{"type":"date"},"notbefore":{"type":"date"},"serial":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"session_resumed":{"type":"boolean"},"sni":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"subject":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}},"version":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}},"tx_id":{"type":"long"},"type":{"type":"text","norms":false,"fields":{"keyword":{"type":"keyword"}}}}}}}}

@jasonish
Copy link
Owner

jasonish commented May 3, 2017

Ok, last request, if you can... Your Logstash version and config?

Can the events ever be archived? Or just do they not get archived, but get archived on a subsequent run?

@jasonish
Copy link
Owner

jasonish commented May 4, 2017

Ok, I saw this as well. I had a group of 2 events that would just not archive. However, when opened individually they could be archived.

What was interesting is that the @timestamp and timestamp fields in the event did not match, even after taking into account UTC vs localtime.

@jasonish jasonish reopened this May 4, 2017
@jasonish jasonish self-assigned this May 4, 2017
@jasonish jasonish added the bug label May 4, 2017
@inliniac
Copy link
Author

inliniac commented May 8, 2017
edited
Loading

Small update: I just upgraded to ES 5.4 & LS 5.4 and I'm still seeing this behavior where a small subset of events reappear after archiving them.

@jasonish
Copy link
Owner

jasonish commented May 8, 2017

For an event that isn't archiving, look at the JSON. Are the "@timestamp" and "timestamp" fields equivalent?

I'm also running ES 5.4 and Logstash 5.4 now. No forwarder though. Will keep an eye on it.

@jasonish
Copy link
Owner

jasonish commented May 8, 2017

So I think this was all related to @timestamp and timestamp being out of sync. EveBox wasn't consistent with which field it used which could cause issues if they weren't in sync. When using Logstash, I believe its best to have:

filter {
    date {
        match => ["timestamp", "ISO8601"]
    }
}

which will make Logstash using the existing timestamp instead of using the time of reading the event, which should keep the timestamps.

But I've also gone through EveBox code to consistently use the "@timestamp" field for queries as well as update events which should let you archive these events.

@inliniac
Copy link
Author

inliniac commented May 9, 2017

Looks like 0.7.1dev (Rev: eb91f5d) fixed this, thanks!

@jasonish
Copy link
Owner

jasonish commented May 9, 2017

Great.

@jasonish jasonish closed this as completed May 9, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jasonish jasonish

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jasonish @inliniac