I'm using snort and logstash. To generate the unified2 file I run this snort command:
sudo snort -A console -i enp0s3 -u snort -g snort -c /etc/snort/snort.conf
Afterwards I run unifiedbeat:
/home/pc/go/src/github.com/cleesmith/unifiedbeat# ./unifiedbeat -c unifiedbeat.yml -e
However I get this feedback from unifiedbeat:
`2019/02/04 02:36:28.776378 geolite.go:24: INFO GeoIP disabled: No paths were set under shipper.geoip.paths
2019/02/04 02:36:28.776537 logstash.go:105: INFO Max Retries set to: 3
2019/02/04 02:36:28.780277 outputs.go:135: INFO Activated logstash as output plugin.
2019/02/04 02:36:28.780345 outputs.go:135: INFO Activated console as output plugin.
2019/02/04 02:36:28.780407 publish.go:291: INFO Publisher name: nucy
2019/02/04 02:36:28.780581 async.go:78: INFO Flush Interval set to: 1s
2019/02/04 02:36:28.780602 async.go:84: INFO Max Bulk Size set to: 2048
2019/02/04 02:36:28.780633 async.go:78: INFO Flush Interval set to: 1s
2019/02/04 02:36:28.780644 async.go:84: INFO Max Bulk Size set to: 2048
2019/02/04 02:36:28.780685 beat.go:238: INFO Init Beat: unifiedbeat; Version: 2.0.1
2019/02/04 02:36:28.781042 u2beat.go:106: INFO Setup: 'geoip2_path:' not specified in YAML config file.
2019/02/04 02:36:28.801499 u2beat.go:123: INFO Setup: Rules warnings: 0 multiple line rules rejected, 0 duplicate rules rejected
2019/02/04 02:36:28.801696 u2beat.go:124: INFO Setup: Rules stats: 8 rule files read, 863 rules created
2019/02/04 02:36:28.808859 u2beat.go:140: INFO Setup: registrar: registry file: "/home/pc/go/src/github.com/cleesmith/unifiedbeat/.unifiedbeat"
2019/02/04 02:36:28.808891 u2beat.go:141: INFO Setup: registrar: file source: ""
2019/02/04 02:36:28.808897 u2beat.go:142: INFO Setup: registrar: file offset: 0
2019/02/04 02:36:28.809395 beat.go:267: INFO unifiedbeat sucessfully setup. Start running.
2019/02/04 02:36:28.809416 u2beat.go:148: INFO Run: start spooling and publishing...
2019/02/04 02:36:28.809422 u2spoolandpublish.go:52: INFO U2SpoolAndPublish: spooling and publishing...
2019/02/04 02:36:28.819012 u2beat.go:182: INFO Run: updated registry file.
2019/02/04 02:36:28.819029 beat.go:307: INFO Start exiting beat
2019/02/04 02:36:28.819608 beat.go:282: INFO Stopping Beat
2019/02/04 02:36:28.819625 u2beat.go:192: INFO Stop: is spooling and publishing running? 'false'
2019/02/04 02:36:28.819633 u2beat.go:213: INFO Stop: done after waiting 7.084µs.
2019/02/04 02:36:28.819639 beat.go:290: INFO Cleaning up unifiedbeat before shutting down.
2019/02/04 02:36:28.819651 u2beat.go:217: INFO Cleanup: is spooling and publishing running? 'false'
2019/02/04 02:36:28.819656 u2beat.go:223: INFO Cleanup: done.
2019/02/04 02:36:28.819660 beat.go:139: INFO Exit beat completed
`
Hello!
I'm struggling to use unifiedbeat properly :(
I'm using snort and logstash. To generate the unified2 file I run this snort command:
sudo snort -A console -i enp0s3 -u snort -g snort -c /etc/snort/snort.confAfterwards I run unifiedbeat:
/home/pc/go/src/github.com/cleesmith/unifiedbeat# ./unifiedbeat -c unifiedbeat.yml -eHowever I get this feedback from unifiedbeat:
`2019/02/04 02:36:28.776378 geolite.go:24: INFO GeoIP disabled: No paths were set under shipper.geoip.paths 2019/02/04 02:36:28.776537 logstash.go:105: INFO Max Retries set to: 3 2019/02/04 02:36:28.780277 outputs.go:135: INFO Activated logstash as output plugin. 2019/02/04 02:36:28.780345 outputs.go:135: INFO Activated console as output plugin. 2019/02/04 02:36:28.780407 publish.go:291: INFO Publisher name: nucy 2019/02/04 02:36:28.780581 async.go:78: INFO Flush Interval set to: 1s 2019/02/04 02:36:28.780602 async.go:84: INFO Max Bulk Size set to: 2048 2019/02/04 02:36:28.780633 async.go:78: INFO Flush Interval set to: 1s 2019/02/04 02:36:28.780644 async.go:84: INFO Max Bulk Size set to: 2048 2019/02/04 02:36:28.780685 beat.go:238: INFO Init Beat: unifiedbeat; Version: 2.0.1 2019/02/04 02:36:28.781042 u2beat.go:106: INFO Setup: 'geoip2_path:' not specified in YAML config file. 2019/02/04 02:36:28.801499 u2beat.go:123: INFO Setup: Rules warnings: 0 multiple line rules rejected, 0 duplicate rules rejected 2019/02/04 02:36:28.801696 u2beat.go:124: INFO Setup: Rules stats: 8 rule files read, 863 rules created 2019/02/04 02:36:28.808859 u2beat.go:140: INFO Setup: registrar: registry file: "/home/pc/go/src/github.com/cleesmith/unifiedbeat/.unifiedbeat" 2019/02/04 02:36:28.808891 u2beat.go:141: INFO Setup: registrar: file source: "" 2019/02/04 02:36:28.808897 u2beat.go:142: INFO Setup: registrar: file offset: 0 2019/02/04 02:36:28.809395 beat.go:267: INFO unifiedbeat sucessfully setup. Start running. 2019/02/04 02:36:28.809416 u2beat.go:148: INFO Run: start spooling and publishing... 2019/02/04 02:36:28.809422 u2spoolandpublish.go:52: INFO U2SpoolAndPublish: spooling and publishing...
2019/02/04 02:36:28.818556 u2spoolandpublish.go:96: CRIT U2SpoolAndPublish: unexpected error: 'unexpected EOF'
2019/02/04 02:36:28.819012 u2beat.go:182: INFO Run: updated registry file. 2019/02/04 02:36:28.819029 beat.go:307: INFO Start exiting beat 2019/02/04 02:36:28.819608 beat.go:282: INFO Stopping Beat 2019/02/04 02:36:28.819625 u2beat.go:192: INFO Stop: is spooling and publishing running? 'false' 2019/02/04 02:36:28.819633 u2beat.go:213: INFO Stop: done after waiting 7.084µs. 2019/02/04 02:36:28.819639 beat.go:290: INFO Cleaning up unifiedbeat before shutting down. 2019/02/04 02:36:28.819651 u2beat.go:217: INFO Cleanup: is spooling and publishing running? 'false' 2019/02/04 02:36:28.819656 u2beat.go:223: INFO Cleanup: done. 2019/02/04 02:36:28.819660 beat.go:139: INFO Exit beat completed `
My configuration files: Snort- https://pastebin.com/c0BauSWL Unifiedbeat- https://pastebin.com/QD4bMAv8
I already checked similar issue, however I think I'm using proper unified2 log file.
Does anyone know, how can I fix this? :)