Fails to import AWS Network Firewall netflow logs

[jdeluyck]

I've been trying to use evebox on the netflow logs from AWS Network Firewall, which uses Suricata under the hood.

The error I get back is

2023-08-09 13:09:20 ERROR evebox::commands::oneshot: Import failure: timestamp parse error

Small file which should work but doesn't

{"firewall_name":"aws-nfw","availability_zone":"eu-west-1a","event_timestamp":"1691497800","event":{"tcp":{"tcp_flags":"1b","syn":true,"fin":true,"psh":true,"ack":true},"app_proto":"tls","src_ip":"5.5.5.5","src_port":443,"netflow":{"pkts":11,"bytes":6458,"start":"2023-08-08T12:27:42.427112+0000","end":"2023-08-08T12:27:43.291588+0000","age":1,"min_ttl":47,"max_ttl":241},"event_type":"netflow","flow_id":1085186649261160,"dest_ip":"6.6.6.6","proto":"TCP","dest_port":49332,"timestamp":"2023-08-08T12:30:00.047170+0000"}}

[jasonish]

The Suricata event is nested under the event field here, so it will need some conversion like:

cat input.json | jq -c .event > fixed.json

[jdeluyck]

The Suricata event is nested under the event field here, so it will need some conversion like:

cat input.json | jq -c .event > fixed.json

Thank you! I'm fairly new to EVE logging, so I hadn't noticed that...