search

jasonish / evebox

Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search
https://evebox.org/
MIT License
418 stars 67 forks source link

Error #150

Closed ngms17 closed 3 years ago

ngms17 commented 3 years ago

I am having this error while starting evebox server.

Screenshot 2020-12-03 at 10 27 26
jasonish commented 3 years ago

How are you adding your events to Elasticsearch?

ngms17 commented 3 years ago

Filebeat -> Logstash -> Elastic

But my index is not the logstash default

jasonish commented 3 years ago

You will have to tell EveBox the name of your index prefix. So by default it assumes "logstash-*", the --index can change that. However, EveBox only works against the default Logstash schema, so if you remap fields, or change the types, etc. Its unlikely to work.

It also doesn't work against ECS if using the Filebeat Suricata module. I'm working on that though.

jasonish commented 3 years ago

I think that has been resolved. If an ECS issue, follow here: https://github.com/jasonish/evebox/issues/97