ngms17
commented
3 years ago 
Closed ngms17 closed 3 years ago
ngms17
commented
3 years ago 
robcowart
commented
3 years ago Can you please edit your issue to provide the actual log text instead of a screenshot? Also, please provide more details of your environment. Version of Suricata? Version of Elastic Stack? etc.
ngms17
commented
3 years ago [2020-12-01T15:40:07,925][WARN ][logstash.outputs.elasticsearch][synlite_suricata][7f0f636925cafdc45ccbf6445a1562dacede6781ba4cf6f1b34e30bf21e877ba] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"suricata-1.1.0-2020.12.01", :routing=>nil, :_type=>"_doc"}, #
robcowart
commented
3 years ago You will probably need to modify your suricata configuration to send the old style of DNS log. This is done in suricata.yml under the eve-log -> types section. You need to use version 1. For example...
- dns:
enabled: yes
version: 1Unfortunatly it didn´t resolved the problem
robcowart
commented
3 years ago You will have to delete any indices that were already created. Also... what versions of Suricata and the Elastic Stack are you using?
ngms17
commented
3 years ago All of the recent ones
robcowart
commented
3 years ago That could be part of the problem. This solution was created using Elastic Stack 7.1.x. It hasn't been test with any of the latest versions.
ngms17
commented
3 years ago I will try that solution. If it does not work, i will have to downgrade. What version of suricata are you using?
Are you thinking of upgrading to newer versions?
robcowart
commented
3 years ago None at the moment actually. I think 4.x was current at the time this was created. I would have to spend some time to fully upgrade everything to support the latest releases. However, I won't realistically, be able to get to that until after the new year.