sorry there is no data to graph

[swe3per]

os:debian8 x64 version:EveBox Version 0.9.0dev (rev 47beb37) use repository to install evebox mechine A:suricata + filebeat mechine B:ELK + evebox in stable/unstable version evebox report no graph, in the dev version report page allways "loadding.."

[jasonish]

Do the Inbox/Alerts/Events views work? Which report doesn't work.

Please tell me your versions of Logstash, Filebeat and Elastic Search. There are currently problems with version 6 of the ELK stack.

[swe3per]

other page work fine,alert/ssh report have blank div lodding page,other report just no graph. elk version:6.1.3 filebeat version:filebeat version 6.1.1 (arm), libbeat 6.1.1

[jasonish]

I'll be fixing Elastic v6 support soon: https://github.com/jasonish/evebox/issues/67

[swe3per]

ttttttttthx!

[jasonish]

Give the latest unstable (git master) build a shot. I fixed a few issues with reports and am currently using it successfully against Logstash/ElasticSearch 6.

I still have issues when going from eve -> Filebeat -> ElasticSearch. I'm not sure if I'm going to be able to fix that or not. However, eve -> Logstash -> ES, and eve -> Filebeat -> Logstash -> ES should work fine.

[swe3per]

thx! should i get new unstable code and compile it? i tested suricata and filebeat on embedded device(Raspberry Pi/pcduino etc.),logstash is not necessary

[jasonish]

Yes please. The main issue with Filebeat in its own is it uses a different template than Logstash which appears to give Evebox issues. It’s something I need to look into further as it did work with Filebeat 5 without Logstash.

[swe3per]

i cant compile it..there have problem go version go1.9.3 linux/amd64 nodejs version v8.9.4

Error: Cannot find module '/root/go/src/github.com/jasonish/evebox/webapp/node_modules/webpack/node_modules/uglifyjs-webpack-plugin/lib/post_install.js' at Function.Module._resolveFilename (module.js:538:15) at Function.Module._load (module.js:468:25) at Function.Module.runMain (module.js:684:10) at startup (bootstrap_node.js:187:16) at bootstrap_node.js:608:3 npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.1.3 (node_modules/fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"}) npm WARN optional SKIPPING OPTIONAL DEPENDENCY: node-sass@4.7.2 (node_modules/node-sass): npm WARN optional SKIPPING OPTIONAL DEPENDENCY: node-sass@4.7.2 install: node scripts/install.js npm WARN optional SKIPPING OPTIONAL DEPENDENCY: Exit status 1

npm ERR! code ELIFECYCLE npm ERR! errno 1 npm ERR! uglifyjs-webpack-plugin@0.4.6 postinstall: node lib/post_install.js npm ERR! Exit status 1 npm ERR! npm ERR! Failed at the uglifyjs-webpack-plugin@0.4.6 postinstall script. npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in: npm ERR! /root/.npm/_logs/2018-02-04T21_27_20_495Z-debug.log

i download and install lastest deb from https://evebox.org/files/development/,there also no graph and blank loading page.. console warning :

2018-02-05 05:32:47 (elasticsearch.go:216) -- Failed to parse template, keyword resolution delayed. 2018-02-05 05:32:47 (elasticsearch.go:217) -- Template: {}

[jasonish]

Do you use the default Logstash template and index name? Any customizations?

[swe3per]

index: filebeat

[swe3per]

loading page

[jasonish]

Ah, like I mentioned earlier I don't think EveBox works with the filebeat 6 index/templates. It does work with the Logstash 6 templates. And I did have it working with the filebeat 5 index/templates. Just to be sure with filebeat, are you using the json.keys_under_root or whatever it is? Otherwise filebeat will add the EVE events to ES as a text string, not JSON.

As for compiling, node and friends are really picky with versions. I use 8.9.3 to build releases now. 8.9.4 (the latest stable should also work).

I guess I'm mostly interested in if the Logstash use case works for you now. As I know there are issues with Filebeat straight to Elastic Search.

[swe3per]

yeah,i using "json.keys_under_root: true" in my filebeat config file. what can i do now ? maybe waitting for u compile new dev version? :P

[jasonish]

maybe waitting for u compile new dev version? :P

Builds from git master are placed here every hour: https://evebox.org/files/development/

I've done some simple tests which are:

• Filebeat 6.1.3 reading eve and sending directly to Elastic Search 6.1.3 (my filebeat config: https://github.com/jasonish/evebox/wiki/Filebeat-Configuration#filebeat-directly-to-elastic-search)
• Logstash 6.1.3 reading eve and sending directly to Elastic Search 6.1.3.

On their own they both work. Its import to note that Logstash will log to an index named "logstash..." whereas filebeat will log to an index "filebeat...", but EveBox can only handle one pattern. If using a mix of Filebeat and Logstash, you'd probably be better off pointing Filebeat and Logstash so all events come from Logstash and get placed into the same index.

You'll want the latest build, it fixes some issues you might run into on a fresh install where the database lacks certain event type.

[swe3per]

thx! i just using filebeat 👍

[jasonish]

You should be good to go then. At least on an all fresh install of Filebeat and Elastic Search 6, its working for me.

[swe3per]

hello,thx for u help, i installed new version evebox1:0.9.0~dev1517925576 its no loading "blank page" but in report page,i also cant see graph for ssh/alert..

[jasonish]

Do the Inbox/Escalated/Alerts/Events tabs work? How about the "Flow" report.

[swe3per]

sorry,ssh report have pie graph Inbox/Escalated/Alerts/Events tabs all working,just flow/alert no graph

[swe3per]

and report->netflow page,also have "blank page/div",other report page none

[jasonish]

netflow is disabled by default in Suricata, so unless you enabled it, it is most likely going to be blank. Flow on the other hand should work.

[swe3per]

yeah,report->flow page its working,just no graph,no blank page/div i enable netflow in suricata

[jasonish]

Do you have a screenshot? If using Chrome, any errors in the web development console?

My Filebeat/ElasticSearch 6 setup works fine. I actually have it on git:

https://github.com/jasonish/evebox/tree/master/docker/compose-filebeat-elasticsearch-6

as a docker-compose setup. Maybe compare the versions and configuration file to your setup?

Do you see "flow" events under the "Events" tab?

[swe3per]

yeah,i see flow and netflow under the events tab alert page screenshot netflow page screenshot

[jasonish]

Something might be wrong with your elasticsearch template, can you send the output of:

curl http://localhost:9200/_template/

replacing localhost with your elasticsearch host of course.

[swe3per]

curl http://10.0.0.10:9200/_template/ {"filebeat-6.1.1":{"order":1,"index_patterns":["filebeat-6.1.1-*"],"settings":{"index":{"mapping":{"total_fields":{"limit":"10000"}},"refresh_interval":"5s","number_of_routing_shards":"30","number_of_shards":"3"}},"mappings":{"doc":{"_meta":{"version":"6.1.1"},"date_detection":false,"dynamic_templates":[{"strings_as_keyword":{"mapping":{"ignore_above":1024,"type":"keyword"},"match_mapping_type":"string"}}],"properties":{}}},"aliases":{}},"kibana_index_template:.kibana":{"order":0,"index_patterns":[".kibana"],"settings":{"index":{"number_of_shards":"1"}},"mappings":{"doc":{"dynamic":"strict","properties":{"type":{"type":"keyword"},"updated_at":{"type":"date"},"config":{"dynamic":true,"properties":{"buildNum":{"type":"keyword"}}},"index-pattern":{"properties":{"fieldFormatMap":{"type":"text"},"fields":{"type":"text"},"intervalName":{"type":"keyword"},"notExpandable":{"type":"boolean"},"sourceFilters":{"type":"text"},"timeFieldName":{"type":"keyword"},"title":{"type":"text"}}},"visualization":{"properties":{"description":{"type":"text"},"kibanaSavedObjectMeta":{"properties":{"searchSourceJSON":{"type":"text"}}},"savedSearchId":{"type":"keyword"},"title":{"type":"text"},"uiStateJSON":{"type":"text"},"version":{"type":"integer"},"visState":{"type":"text"}}},"search":{"properties":{"columns":{"type":"keyword"},"description":{"type":"text"},"hits":{"type":"integer"},"kibanaSavedObjectMeta":{"properties":{"searchSourceJSON":{"type":"text"}}},"sort":{"type":"keyword"},"title":{"type":"text"},"version":{"type":"integer"}}},"dashboard":{"properties":{"description":{"type":"text"},"hits":{"type":"integer"},"kibanaSavedObjectMeta":{"properties":{"searchSourceJSON":{"type":"text"}}},"optionsJSON":{"type":"text"},"panelsJSON":{"type":"text"},"refreshInterval":{"properties":{"display":{"type":"keyword"},"pause":{"type":"boolean"},"section":{"type":"integer"},"value":{"type":"integer"}}},"timeFrom":{"type":"keyword"},"timeRestore":{"type":"boolean"},"timeTo":{"type":"keyword"},"title":{"type":"text"},"uiStateJSON":{"type":"text"},"version":{"type":"integer"}}},"url":{"properties":{"accessCount":{"type":"long"},"accessDate":{"type":"date"},"createDate":{"type":"date"},"url":{"type":"text","fields":{"keyword":{"type":"keyword","ignore_above":2048}}}}},"server":{"properties":{"uuid":{"type":"keyword"}}},"timelion-sheet":{"properties":{"description":{"type":"text"},"hits":{"type":"integer"},"kibanaSavedObjectMeta":{"properties":{"searchSourceJSON":{"type":"text"}}},"timelion_chart_height":{"type":"integer"},"timelion_columns":{"type":"integer"},"timelion_interval":{"type":"keyword"},"timelion_other_interval":{"type":"keyword"},"timelion_rows":{"type":"integer"},"timelion_sheet":{"type":"text"},"title":{"type":"text"},"version":{"type":"integer"}}}}}},"aliases":{}}}%

[swe3per]

i tested time options for "last hour/last 3 hour" evebox no data to show,but i selected last 12 hour there have data. 2 mechines time is same. is this no graph question from ?

[swe3per]

i selected "all" time option,alert/flow no graph

[jasonish]

Ok, right now I don't really have an idea of why its not working. What are you using for the --index option to evebox?

[swe3per]

filebeat

On Wed, Feb 7, 2018 at 05:19 Jason Ish notifications@github.com wrote:

Ok, right now I don't really have an idea of why its not working. What are you using for the --index option to evebox?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jasonish/evebox/issues/70#issuecomment-363567931, or mute the thread https://github.com/notifications/unsubscribe-auth/AHte5ZXyWJEuTa75a5xB6TMeRj9KOuYyks5tSMHYgaJpZM4R3uaj .

-- Ackrootkit ackrootkit[AT]gmail.com http://x73.cc Welcome To My World!

[jasonish]

Closing due to inactivity.