Not Populate Malcolm_beats_*

cisagov / Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.

https://cisagov.github.io/Malcolm/

Other

1.97k stars 331 forks source link

Not Populate Malcolm_beats_* #508

Open devilman85 opened 7 hours ago

devilman85 commented 7 hours ago

I set up elasticsearch as the remote source where to send the data. i set up elasticsearch username and password. i am having problems populating the malcolmbeats* index and in the logstash logs this message appears [WARN ][logstash.outputs.elasticsearch] Badly formatted index, after interpolation still contains placeholder: [%{[@metadata][malcolm_elasticsearch_index]}]

I cannot understand the error

mmguero commented 4 hours ago

Hmmm... could we double-check some of your settings? Could you post the results from this command:

grep -v '^#' ./config/opensearch.env

If there are any hostnames/IP addresses you want to redact, that's fine, but there won't be anything sensitive in that file.