pevma
commented
6 years ago Thanks for posting this. I actually tried it as well on latest SELKS and could not reproduce - was working fine there. Will look further into it to see if something pops up.
Closed yorkvik closed 6 years ago
pevma
commented
6 years ago Thanks for posting this. I actually tried it as well on latest SELKS and could not reproduce - was working fine there. Will look further into it to see if something pops up.
regit
commented
6 years ago You may want to play with the 2 following values in settings.py
# Extension used for complete field (usually "raw" or "keyword")
ELASTICSEARCH_KEYWORD = "raw"
# Hostname field (usually "hostname" or "host")
ELASTICSEARCH_HOSTNAME = "host"Check value in Kibana and fix them by adding this value to local_settings.py.
I hope it helps.
yorkvik
commented
6 years ago Thank you for your feedback. I don't understand completely what the ELASTICSEARCH_KEYWORD is used for. My alert in logstash looks like this, what should I use?
| 0 | |
|---|---|
| _index | "logstash-2018.05.15" |
| _type | "SuricataIDPS" |
| _id | "AWNiZV-ipqf36NkgxwfB" |
| _score | 3.2650652 |
| _source | |
| icmp_type | 143 |
| type | "SuricataIDPS" |
| in_iface | "enp24s0f0" |
| src_ip | "0000:0000:0000:0000:0000:0000:0000:0000" |
| path | "/data/suricata/eve.json" |
| event_type | "alert" |
| @timestamp | "2018-05-15T06:03:20.389Z" |
| alert | |
| severity | 3 |
| signature_id | 1000001 |
| rev | 0 |
| gid | 1 |
| signature | "ICMP Packet found" |
| action | "allowed" |
| category | "" |
| flow_id | 484049125175679 |
| dest_ip | "ff02:0000:0000:0000:0000:0000:0000:0016" |
| proto | "IPv6-ICMP" |
| @version | "1" |
| host | "localhost" |
| icmp_code | 0 |
| flow | |
| start | "2018-05-15T08:03:20.389503+0200" |
| bytes_toclient | 0 |
| bytes_toserver | 90 |
| pkts_toserver | 1 |
| pkts_toclient | 0 |
| timestamp | "2018-05-15T08:03:20.389503+0200" |
yorkvik
commented
6 years ago Ok, it works with ELASTICSEARCH_VERSION = 5 and ELASTICSEARCH_KEYWORD = "keyword"
Thank you!
Since upgrade to ES v5.6.9 Scirius is unable to get events from ES. When changing version in settings.py (ELASTICSEARCH_VERSION = 6) it works for the 'rules_activity', but not for the graphs (alerts activity).
For example (when ES settings put to 6) : result is empty : https://127.0.0.1/rules/es?query=timeline&from_date=1525760008668&hosts=*
This one works : https://127.0.0.1/rules/es?query=rules&host=*&from_date=1525760008668
None of them works if ELASTICSEARCH_VERSION = 5.