-
-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Empty error when viewing events #241
Comments
This looks like you may be using ECS which is still a work in progress? Are you using Filebeat with the Suricata module? If so, can you let me know which version of Filebeat and Elastic you are using? |
I'm forwarding data with the file module of filebeat (with Logstash and ES at version 7.17). I didn't do anything special or tried to enable ECS, though i see an |
Does your config look something like https://github.com/jasonish/evebox/wiki/Example-Filebeat-to-Logstash-Configuration? There are many ways to get the data into Elastic that all result in slightly different schemas, so I need as much detail as possible please. |
Yes, the conf is similar to this one. It seems filebeat is actually adding the ecs field, as I can see when taking the suricata json as file input, and use a file output, the ecs field is present. I think the field appeared when I switched from filebeat-oss to filebeat-free version. |
Ok. This is a setup I haven't tested recently. Even though Short of that, this will likely have to wait until I can test this similar setup. |
I'm not passing the |
I'm running Evebox 0.16 (Debian package install), and have noticed an error is triggered when when viewing an event. To trigger it, I go to the "Events" top menu entry, then click on an event (from my testings, it seems to trigger on all events):
It seems like it's expecting an
event
key in the suricata events, are these mandatory ?The full error stack:
The text was updated successfully, but these errors were encountered: