[Oisf-users] Get from eve.json-> "event_type = file" parser error in elasticsearch
Peter Manev
petermanev at gmail.com
Wed Feb 12 09:20:50 UTC 2014
On Wed, Feb 12, 2014 at 10:03 AM, Eric Leblond <eric at regit.org> wrote:
> Hi,
>
> On Wed, 2014-02-12 at 08:40 +0000, Stefan Sabolowitsch wrote:
>> Hi all,
>> Get from eve.json-> "event_type = file" parser error in elasticsearch.
>> https://groups.google.com/d/msg/elasticsearch/1P3fM0oa7gU/8g0qqUxfPSoJ
>>
>> All other event types work without problem.
>> The interesting thing is however, that can be parsing "files json.log" without problem.
>> Has anyone already successfully sent eve.json-> "event_type = file" to elastic search?
>
> On a clean logstash installation, eve.json file event are correctly
> parsed. By clean, I mean that it has only seen eve.json events.
>
> You may have a conflict in elasticsearch because you have two format for
> file events. I've seen that type of problem once when one of my student
> did change the type of a key in the output. Injecting of the events did
> fail after that.
Yes , I can confirm the case described above. I have experienced it as
well - two formats for the same key/value.
>
> If this problem is confirmed, we should maybe do something on code or
> documentation side to fix this or describe how to fix this in
> elasticsearch.
>
> BR,
> --
> Eric Leblond <eric at regit.org>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list