Suricata Logs CSV

[SomeInfosecGuy]

Before you post your issue make sure it has not been answered yet and provide basic support information if you come to the conclusion it is a new issue.

• 🔍 Use the search function first
• 🧐 Check our WIKI
• 📚 Consult the documentation of 💻 Debian, 🐳 Docker, the 🦌 ELK stack and the 🍯 T-Pot Readme.
• ⚠️ Provide basic support information or similiar information with regard to your issue or we can not help you and will close the issue without further notice

⚠️ Basic support information (commands are expected to run as root)

• What version of the OS are you currently using lsb_release -a and uname -a?
• What T-Pot version are you currently using? 20.06.1
• What edition (Standard, Nextgen, etc.) of T-Pot are you running? Standard
• What architecture are you running on (i.e. hardware, cloud, VM, etc.)? Baremetal, 16GB RAM, FX 8320e
• Did you have any problems during the install? If yes, please attach /install.log /install.err. No
• How long has your installation been running? One week
• Did you install upgrades, packages or use the update script? No
• Did you modify any scripts or configs? If yes, please attach the changes. No
• Please provide a screenshot of glances and htop.
• How much free disk space is available (df -h)? 1.6TB
• What is the current container status (dps.sh)? Up
• What is the status of the T-Pot service (systemctl status tpot)? Active
• What ports are being occupied? Stop T-Pot systemctl stop tpot and run netstat -tulpen
• If a single container shows as DOWN you can run docker logs <container-name> for the latest log entries

I want to download the Suricata logs for specific searches from honeypot dashboards (e.g. cowrie) to a CSV file but the error "We couldn't generate your CSV at this time." is displayed. I want to create a pivot table to analyze the data and put it in a threat intelligence platform.

[t3chn0m4g3]

Sorry, works perfectly fine here.

Please describe exactly what you are doing incl. screenshots and provide logs from Kibana (docker logs kibana) and ES (docker logs elasticsearch) at the timestamp when the error occurs.

[SomeInfosecGuy]

I've edited the Cowrie dashboard to include Suricata logs. When I click the three horizontal buttons then click Download CSV I get an error stating that the CSV couldn't be generated.

Kibana: time 16:40z

Elasticsearch: no related logs to the issue it appears

[t3chn0m4g3]

I can confirm this does not work and seems to be a limitation of Kibana, at least according to googling the error.

You can follow this guide however which works for me: https://reelyactive.github.io/diy/kibana-export-data-csv-file/

[SomeInfosecGuy]

That certainly works. Thank you!

On Thu, Sep 17, 2020 at 2:55 PM Marco Ochse notifications@github.com wrote:

I can confirm this does not work and seems to be a limitation of Kibana, at least according to googling the error.

You can follow this guide however which works for me: https://reelyactive.github.io/diy/kibana-export-data-csv-file/

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/telekom-security/tpotce/issues/699#issuecomment-694432948, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALOGT4FLSRV7LCLTVMRE2KTSGJLSZANCNFSM4RO6GE7Q .

[t3chn0m4g3]

Thanks for the feedback. Closing this.