Dashboard Sorry, there was an error import

[b4b857f6ee]

Describe the bug I can't import dashboard

Thank you for your help 👍

To Reproduce Steps to reproduce the behavior:

1. Install the lastest docker pfelf
2. Import the template
3. try to import Firewall dashboard v6.0 - Firewall.ndjson

Screenshots If applicable, add screenshots to help explain your problem.

Operating System (please complete the following information):

• OS (printf "$(uname -srm)\n$(cat /etc/os-release)\n"): Linux 3.10.0-1127.19.1.el7.x86_64 x86_64 NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"

• Version of Docker (docker -v): Docker version 19.03.13, build 4484c46d9d
• Version of Docker-Compose (docker-compose -v): docker-compose version 1.18.0, build 8dd22a9

Elasticsearch, Logstash, Kibana (please complete the following information):

• Version of ELK (cat /docker-pfelk/.env) 7.9.2

  **Service logs

• docker-compose logs pfelk01
• docker-compose logs pfelk02
• docker-compose logs pfelk03
• docker-compose logs logstash
• docker-compose logs kibana

Additional context Add any other context about the problem here.

[a3ilson]

@b4b857f6ee - Based on your logs, your accessing Kibana from a Windows OS - correct? If so when downloading the .ndjson file to import pay particular attention to the file extension.

I would recommend using a text editor such as sublime or Notepad++ as the windows text editor will add a txt extension resulting in the error described.

[b4b857f6ee]

Hum... I'm just Drag and drop the ndjson into the Interface.

I'm using this one :

[b4b857f6ee]

Ok import of Suricata work, HAproxy too with the same alert as your YT video

[b4b857f6ee]

Maybe because the dashboard starting with this {"attributes":{"fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":fals

And the Suricata starting like the second line of the Firewall.ndjson

[a3ilson]

You should be able to import the firewall, squid, unbound and suricata dashboards without error. Snort and HAProxy were not developed at the same time and I've noted the import issue with both which is likely due to multiple fields being defined by multiple index patterns.

The snort template looks good but I would try one change within the haproxy template:

      "@timestamp": {
        "type": "date"
      },

remove lines 75-77 as the '@timestamp' is previously defined

I'll need to dig into the dashboards and further explore this issue - thanks!

[b4b857f6ee]

Wait a minute :D. Ok i will test. On your opnsense guide you say port UDP 5140 but the docker logstash conf is :

ports:

• "5044:5044"
• "5000:5000/tcp"
• "5000:5000/udp"
• "9600:9600"

[a3ilson]

The 01-inputs.conf should contain inputs for 5140, 5141, 5040, 5190 and 5044

5140 - is for pf/opnsense 5141 - is for pf/opnsense (second instance) 5040 - is for suricata 5190 - is for haproxy

The instructions depict sending pf/opnsense logs via port 5140. However, looking back at this thread...it appears you are not receiving haproxy logs - correct?

[b4b857f6ee]

Oh i really need to do this is think :

Scaling out pfelk Replace docker-compose.yml with this version of docker-compose.yml

[b4b857f6ee]

01-inputs.conf

I don't know where to found 01-inputs.conf in the docker logstash

[a3ilson]

The *.conf files are located /logstash/conf.d/

[b4b857f6ee]

Ok i think is miss something from the beginning :

[b4b857f6ee]

Ok ok, i have use the zip from the other repo i think; not the docker.... (idiot!!!!) Let me retry it from the start :)

[a3ilson]

That is specified within the Docker.yml file on lines 87-91.

For example (line 87):

- ./logstash/config/:/usr/share/logstash/config/       

The first part specifies that './logstash/config/' will bind to '/usr/share/logstash/config/'

You'll need to make sure the Docker.yml file and/or specified config files are placed in the right location otherwise the docker may fail to start and/or not have the required files.

[a3ilson]

The instructions here should get you up and running in a few minutes by following steps 1-4.

[b4b857f6ee]

The instructions here should get you up and running in a few minutes by following steps 1-4)

Yes i was following it but with the wrong docker content. Let me do it right now.

[b4b857f6ee]

Aaaaaa Now i have no problem with the dashboard import ahah.

Just for your information, i'm going to do the same as i already done with StamusNetwork with Grafana instead of Kibana (https://github.com/b4b857f6ee/selks_grafana_dashboard)

Add on your tuto (i hope i didn't miss the line) I don't find the 5141 - is for pf/opnsense (second instance) information :)

[a3ilson]

Excellent!

The second line for port 5141 is optional. It’s for those with more than one of/opnsense instance.

I haven’t dabbled with Grafana but once created, I’ll be sure to add your link.

Thanks!

On Thu, Oct 29, 2020 at 14:24 b4b857f6ee notifications@github.com wrote:

Aaaaaa Now i have no problem with the dashboard import ahah.

Just for your information, i'm going to do the same as i already done with StamusNetwork with Grafana instead of Kibana ( https://github.com/b4b857f6ee/selks_grafana_dashboard)

Add on your tuto (i hope i didn't miss the line) I don't find the 5141 - is for pf/opnsense (second instance) information :)

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/3ilson/docker-pfelk/issues/18#issuecomment-718937526, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEA2HRYUSJR7XGQNI7ZKLTDSNGXMJANCNFSM4TD53KYQ .

[b4b857f6ee]

;).

Now i'm checking to get the logs.

[b4b857f6ee]

Ahhh i got it :).

Thank you for your time.