pevma
commented
8 years ago Those are normal errs if you do not have the data. Try generating some more data - ex sniffing/browsing heavy http sites so that the data can populate.
Closed Eagleman7 closed 8 years ago
pevma
commented
8 years ago Those are normal errs if you do not have the data. Try generating some more data - ex sniffing/browsing heavy http sites so that the data can populate.
Eagleman7
commented
8 years ago Do you have any suggestions? I have 3 users browsing, and it isn't populated yet. Amsterdam is running for at least 2 weeks in a row.
pevma
commented
8 years ago Is it only those fields that are not populating? Do you see the mirror traffic alright?
regit
commented
8 years ago @pevma I think we have someone working on the issue. You need to have data with correct key/walue to avoid this kind of message because the index is incomplete. Kibana 4 rocks here...
pevma
commented
8 years ago ok - understood. Thanks for the update!
Eagleman7
commented
8 years ago I started over with Amsterdam, now I am seeing data on the visualizations on the HTTP page.
Eagleman7
commented
8 years ago When https://github.com/StamusNetworks/Amsterdam/pull/27 is pulled this issue will be solved. Amsterdam is missing the extended logging options for HTTP
pevma
commented
8 years ago Thanks !
After changing suricata.yaml in the /opt/Amsterdam directory, I am still getting these errors on the HTTP dashboard:
Could not locate that index-pattern-field (id: http.accept_encoding.raw) Could not locate that index-pattern-field (id: http.cache_control.raw) Could not locate that index-pattern-field (id: http.vary.raw) Could not locate that index-pattern-field (id: http.accept_encoding.raw) Could not locate that index-pattern-field (id: http.server.raw)
This is my suricata.yaml file inside the suricata.yaml container from Amsterdam:
[root@ips opt]# docker exec -i -t 4088e685510f bash root@ips:/# cat /etc/suricata/suricata.yaml
http://lpaste.net/4503478986034118656
I followed the instructions on your blog post