search

jasonish / evebox

Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search
https://evebox.org/
MIT License
418 stars 67 forks source link

Support Elastic Search ECS #97

Closed jasonish closed 2 years ago

jasonish commented 5 years ago

Filebeat now includes a Suricata module that reads Suricata EVE logs and stores them in Elastic Search, however it does not Store them in the same format that Eve records have been traditionally stored in Elastic Search, but instead reformats them to the Elastic Common Schema (ECS).

https://github.com/elastic/ecs https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-suricata.html

I expect we'll see more use of this module so EveBox should support events stored in this format. But its not a simple task and will take some time.

Related issue: https://github.com/jasonish/evebox/issues/96

psuhaj commented 3 years ago

Hi, does this problem appear only when using the Suricata module? Will it work if I configure filebeat as written here https://github.com/jasonish/evebox/wiki/Example-Filebeat-Configuration? Or is it fixed now in some development version? Thank you.

jasonish commented 2 years ago

I've done some changes to Elastic field mapping, and now with the --ecs option, most things seem to work as expected when adding Suricata events to Elastic with the Filebeat suricata module.