[Oisf-users] struggling to get eve logs into ES

[Russell Fulton]

I am attempting to get eve.json data into elasticsearch.

I found filebeat and noted that it had a suricata plugin.  Installed it (following the instruction in the docs).

At first I could not find the index and the doc were not forthcoming about the naming.  Eventually I figured out that it was called filebeat-…..   By that time the index contained 50GB of data and was marked as closed.

I can’t do anything with the closed index, even delete it. I have tried opening it by sending API request but that comes back with “acknowledged” but nothig changes.  Filebeat logs suggest it it still sendingdata to ES???

I tried changing the index name but filebeat now insists that I now need to load the templates for the new index without saying how. Re-running filebeat —setup does not do it.

Before spending more time going around in circles I thought I would ask what others are doing to get their eve logs into ES so that they can use Evebox — which is next on my list of things to look at once I get the data loading into ES.

Russell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200510/352aa3c2/attachment.html>