[Oisf-users] struggling to get eve logs into ES
Netsecuris Leonard
ljacobs at netsecuris.com
Mon May 11 12:15:06 UTC 2020
Try filebeat-*
> On May 10, 2020, at 5:25 PM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>
> I am attempting to get eve.json data into elasticsearch.
>
> I found filebeat and noted that it had a suricata plugin. Installed it (following the instruction in the docs).
>
> At first I could not find the index and the doc were not forthcoming about the naming. Eventually I figured out that it was called filebeat-….. By that time the index contained 50GB of data and was marked as closed.
>
> I can’t do anything with the closed index, even delete it. I have tried opening it by sending API request but that comes back with “acknowledged” but nothig changes. Filebeat logs suggest it it still sendingdata to ES???
>
> I tried changing the index name but filebeat now insists that I now need to load the templates for the new index without saying how. Re-running filebeat —setup does not do it.
>
> Before spending more time going around in circles I thought I would ask what others are doing to get their eve logs into ES so that they can use Evebox — which is next on my list of things to look at once I get the data loading into ES.
>
> Russell
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: https://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Forum: https://forum.suricata.io
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200511/3a7b15f0/attachment.html>
More information about the Oisf-users
mailing list