search

jasonish / evebox

Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search
https://evebox.org/
MIT License
417 stars 67 forks source link

Empty error when viewing events #241

Open biolds opened 1 year ago

biolds commented 1 year ago

I'm running Evebox 0.16 (Debian package install), and have noticed an error is triggered when when viewing an event. To trigger it, I go to the "Events" top menu entry, then click on an event (from my testings, it seems to trigger on all events):

evebox

It seems like it's expecting an event key in the suricata events, are these mandatory ?

The full error stack:

TypeError: t._source.event is undefined
    Q1 https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    setupEvent https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    refresh https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    invoke https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    onInvoke https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    invoke https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    run https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    F https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    invokeTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    onInvokeTask https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    invokeTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    runTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    L https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    invokeTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    S https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    D https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    p https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    onScheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleEventTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    l https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    handle https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _trySubscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    In https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _innerSub https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _tryNext https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    ns https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _trySubscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    call https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    call https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    call https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    call https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    toPromise https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    t https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    toPromise https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    getEventById https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    refresh https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    ngOnInit https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    __tryOrUnsub https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _trySubscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _trySubscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    ngOnInit https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    uy https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    Np https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    cl https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    DF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    TF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    sF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    c_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    detectChanges https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    tick https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    invoke https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    onInvoke https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    invoke https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    run https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    run https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    __tryOrUnsub https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    emit https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    fb https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    onHasTask https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    hasTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    _updateTaskCount https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    _updateTaskCount https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    runTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    L https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    invokeTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    S https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    D https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    p https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    onScheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleEventTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    l https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    addEventListener https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    addEventListener https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    listen https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    listen https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    gT https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    Le https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    Lne https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    jM https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    Mv https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    createEmbeddedView https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    createEmbeddedView https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _applyChanges https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    forEachOperation https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _applyChanges https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    ngDoCheck https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    uy https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    Np https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    cl https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    DF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    TF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    sF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
main.bed6e979532f53c3.js:1:511275
jasonish commented 1 year ago

This looks like you may be using ECS which is still a work in progress? Are you using Filebeat with the Suricata module? If so, can you let me know which version of Filebeat and Elastic you are using?

biolds commented 1 year ago

I'm forwarding data with the file module of filebeat (with Logstash and ES at version 7.17). I didn't do anything special or tried to enable ECS, though i see an ecs.version key in my events.

jasonish commented 1 year ago

Does your config look something like https://github.com/jasonish/evebox/wiki/Example-Filebeat-to-Logstash-Configuration?

There are many ways to get the data into Elastic that all result in slightly different schemas, so I need as much detail as possible please.

biolds commented 1 year ago

Yes, the conf is similar to this one. It seems filebeat is actually adding the ecs field, as I can see when taking the suricata json as file input, and use a file output, the ecs field is present. I think the field appeared when I switched from filebeat-oss to filebeat-free version.

jasonish commented 1 year ago

Ok. This is a setup I haven't tested recently. Even though ecs might be present, Suricata events are only converted to ecs format when using the Filebeat Suricata module. So make sure you are not providing the --ecs flag to EveBox unless you are using the filebeat Suricata module.

Short of that, this will likely have to wait until I can test this similar setup.

biolds commented 1 year ago

I'm not passing the --ecs flag when running evebox, and don't have option in the yaml file to specify it.