Closed webhead404 closed 4 years ago
Verified, this is an artifact of the export script from the VM that it was collected from.
@bndabbs @dcode do you know what this should be or how to sanitize it?
@bndabbs @dcode any thoughts on how to sanitize this? Likely an artifact of the export script for dashboards. This prevents Docket from working.
In the calculated field in the index pattern (each of the index patterns), make the URL relative to the host... i.e. /app/docket/uri/blah
or whatever. Delete all the http://1.2.3.4
.
{"attributes":{"fieldFormatMap":"{\"event.duration\":{\"id\":\"duration\",\"params\":{\"parsedUrl\":
{\"origin\":\"https://172.16.181.137\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"inputFormat\":
\"nanoseconds\"}},\"conn.duration\":{\"id\":\"duration\",\"params\":{\"parsedUrl\":
{\"origin\":\"https://172.16.181.137\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"inputFormat\":
\"nanoseconds\"}},\"files.duration\":{\"id\":\"duration\",\"params\":{\"parsedUrl\":
{\"origin\":\"https://172.16.181.137\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"pcap.query\"
:{\"id\":\"url\",\"params\":{\"parsedUrl\":
...
That won't fix the build. It needs to be fixed in the repo so that when ROCK is built, it uses the URL relative to the host.
@bndabbs and I are working on this.
Needs to be done in ecs-all...
and ecs-suricata...
pushed a fix into master
. doing tests.
Appears to be fix't in this release: https://mirror.rocknsm.io/isos/testing/rocknsm-20200607-18:58:06.iso
Recommended pushing into Stable.
As a workaround, you can do this:
curl
curl -OL https://raw.githubusercontent.com/rocknsm/rock-dashboards/master/ecs-configuration/kibana/index-pattern/ecs-suricata-all.ndjson
curl -OL https://raw.githubusercontent.com/rocknsm/rock-dashboards/master/ecs-configuration/kibana/index-pattern/ecs-all.ndjson
sudo cp ecs-suricata-all.ndjson ecs-all.ndjson /opt/rocknsm/rock-dashboards-master/ecs-configuration/kibana/index-pattern/
sudo chmod 664 /opt/rocknsm/rock-dashboards-master/ecs-configuration/kibana/index-pattern/ecs-suricata-all.ndjson
sudo chmod 664 /opt/rocknsm/rock-dashboards-master/ecs-configuration/kibana/index-pattern/ecs-all.ndjson
cd /opt/rocknsm/rock-dashboards-master/ecs-configuration/kibana/
sudo sh import-saved-items.sh
Should work. LMK
We're building this into the ISO, final testing happening.
The hardcoded IP address addressed here in commit: 2c73726 still applies to ecs index patterns
https://github.com/rocknsm/rock-dashboards/blob/master/ecs-configuration/kibana/index-pattern/ecs-all.ndjson