Project

General

Profile

Actions

Bug #1127

closed

logstash & suricata parsing issue

Added by Victor Julien almost 11 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Not yet sure where the problem is, but there is an issue with getting our json into logstash.

When using logstash-forwarder (formerly lumberjack), the tool adds a field "file", which contains the location of the log file it reads from:

"file": "/var/log/suricata/eve.json",

This then masks Suricata's 'file' section. So this appears to be a name space issue of some kind. After talking on #logstash (irc) I've reported in their bugtracker: https://logstash.jira.com/browse/LOGSTASH-1970
See also https://gist.github.com/inliniac/9399885

This may not be a Suricata issue, but we could work around it by choosing a different name for 'file'. However with other logstash transports other clashes may occur.

Actions #1

Updated by Peter Manev almost 11 years ago

Is this occurring only when using the logstash forwarder?
I do not have the same problem when using it locally. Just confirming it is only a "forwarder" issue.

Actions #2

Updated by Victor Julien almost 11 years ago

It appears that when logstash reads in the file directly, it makes the file name available through the 'path' name instead of 'file'. This doesn't clash with our input. I do believe our message should be put in a "@message" 'container' in logstash, but in neither the direct or logstash-forwarder case this appears to be happening.

Actions #3

Updated by Victor Julien almost 11 years ago

  • Status changed from New to Closed
  • Assignee set to Victor Julien
  • Target version set to 2.0rc3
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF