search

jasonish / evebox

Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search
https://evebox.org/
MIT License
418 stars 67 forks source link

Elasticsearch response has no aggregations #155

Closed kmz161 closed 2 years ago

kmz161 commented 3 years ago

I using docker-compose for deploying elasticsearch and evebox

version: "2"

services:

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
    environment:
      - "discovery.type=single-node"
      - "xpack.security.enabled=false"
    ports:
      - 9200:9200
    volumes:
      - elasticsearch-data:/usr/share/elasticsearch/data

  evebox:
    image: jasonish/evebox:latest
    volumes:
      - log:/var/log/sagan:z
    links:
      - elasticsearch
    ports:
      - 5636:5636
    command:  -e http://localhost:9200

volumes:
    log:
    elasticsearch-data:

And I using filebeat for sending Sagan log to elasticsearch

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/sagan/eve.json

  json.keys_under_root: true
  overwrite_keys: true

setup.template.settings:
  index.number_of_shards: 1

output.elasticsearch:
  hosts: [localhost:9200]

Elasticsearch contains data but evebox has error WARN evebox::elastic::eventstore: Elasticsearch response has no aggregations What do I need for working evebox?

jasonish commented 3 years ago

Can you show me a sample of some of the Sagan logs?

kmz161 commented 3 years ago

Yes. 

{ "timestamp": "2021-01-27T14:40:33.523208+0300", "flow_id": 1362230216, "in_iface": "logs", "event_type": "alert", "src_ip": "192.168.1.16", "src_port": 514, "dest_ip": "192.168.1.16", "dest_port": 22, "proto": "TCP", "payload": "IFVzZXIgdWJ1bnR1IG5vdCBhbGxvd2VkIGJlY2F1c2Ugc2hlbGwgL2V0Yy9wYXNzd2QgaXMgbm90IGV4ZWN1dGFibGU=", "stream": "0", "xff": "127.0.0.1", "facility": "UNDEFINED", "priority": "UNDEFINED", "level": "UNDEFINED", "program": "sshd", "host": "default_sensor_name", "alert": { "action": "allowed", "gid": 1, "signature_id": 5000077, "signature_triggered": "YWxlcnQgYW55ICRFWFRFUk5BTF9ORVQgYW55IC0+ICRIT01FX05FVCBhbnkgKG1zZzoiW09QRU5TU0hdIEF0dGVtcHQgdG8gbG9naW4gdXNpbmcgYSBkZW5pZWQgdXNlciI7IGNvbnRlbnQ6ICJub3QgYWxsb3dlZCBiZWNhdXNlIjsgZGVmYXVsdF9wcm90bzogdGNwOyBkZWZhdWx0X2RzdF9wb3J0OiAkU1NIX1BPUlQ7IGNsYXNzdHlwZTogdW5zdWNjZXNzZnVsLXVzZXI7IHByb2dyYW06IHNzaGQ7IHJlZmVyZW5jZTogdXJsLHdpa2kucXVhZHJhbnRzZWMuY29tL2Jpbi92aWV3L01haW4vNTAwMDA3Nzsgc2lkOjUwMDAwNzc7IHJldjozOyk=", "rev": 3, "signature": "[OPENSSH] Attempt to login using a denied user", "category": "Unsuccessful User Privilege Gain", "severity": 1 }, "normalize": null }
ipworkx commented 3 years ago

I had that issue too. Only in a different setup. The issue was related to the fact that the account you use to access your index is not sufficient enough to read/write to your index. Voila

jasonish commented 2 years ago

Closing. This sounds like it may have been more of an Elasticsearch/Filebeat issue.