[Filebeat][meta] Add Suricata module #8153
Assignees
Labels
Comments
|
@andrewkroh For the field validation I remember @simitt put something together for apm-server quite some time ago. |
|
We have a test PayloadAttrsMatchFields checking that attributes from the payload are indexed except for specific exceptions and a KeywordLimitation test checking that every string indexed as |
|
@simitt Didn't you also write something in the past to check if a field is in fields.yml in Go as we still have this in python. I now somehow even remember I added this on our side / copied it over. Have to search for it. |
|
Update: Looks like I missed the first link from @simitt which contains the code on the apm-server side to check the fields: https://github.com/elastic/apm-server/blob/e0e849c3e94042db07573f0c1e6684439f29b88e/tests/fields.go#L46 |
|
Hi @ruflin, any update on the new You suggest |
|
Adding the module checklist:
|
tsg
added a commit
to tsg/beats
that referenced
this issue
Oct 22, 2018
Mostly making all vis and searches end in [Suricata]. Part of elastic#8153.
tsg
added a commit
that referenced
this issue
Oct 22, 2018
Mostly making all vis and searches end in [Suricata]. Part of #8153.
7 tasks
tsg
added a commit
to elastic/kibana
that referenced
this issue
Oct 23, 2018
tsg
added a commit
to tsg/kibana
that referenced
this issue
Oct 23, 2018
andrewkroh
added a commit
that referenced
this issue
Oct 24, 2018
This adds a Filebeat module for ingesting the logs created by Suricata IDS/IPS/NSM. The module collects the logs from the Suricata Eve JSON output (https://suricata.readthedocs.io/en/latest/output/eve/eve-json-format.html). #8153 The module is included in the Elastic licensed Filebeat package. It is considered beta at this stage. It includes two sample dashboards. It uses Elastic Common Schema (ECS) for field naming were applicable, but it has to work-around the conflict with the existing source field in Filebeat. source_ecs holds the data that goes into the ECS source field. This will be rectified in the next major release when we can make a breaking change. The development tooling for the building/testing/packaging of x-pack modules is still a bit of a WIP. So at the moment testing and packaging continues to happen through the OSS filebeat directory. Co-authored-by: Adrian Serrano <[email protected]> Co-authored-by: Andrew Kroh <[email protected]> Co-authored-by: Mathieu Martin <[email protected]> Co-authored-by: Tudor Golubenco <[email protected]>
tsg
added a commit
to elastic/kibana
that referenced
this issue
Oct 24, 2018
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Oct 24, 2018
This adds a Filebeat module for ingesting the logs created by Suricata IDS/IPS/NSM. The module collects the logs from the Suricata Eve JSON output (https://suricata.readthedocs.io/en/latest/output/eve/eve-json-format.html). elastic#8153 The module is included in the Elastic licensed Filebeat package. It is considered beta at this stage. It includes two sample dashboards. It uses Elastic Common Schema (ECS) for field naming were applicable, but it has to work-around the conflict with the existing source field in Filebeat. source_ecs holds the data that goes into the ECS source field. This will be rectified in the next major release when we can make a breaking change. The development tooling for the building/testing/packaging of x-pack modules is still a bit of a WIP. So at the moment testing and packaging continues to happen through the OSS filebeat directory. Co-authored-by: Adrian Serrano <[email protected]> Co-authored-by: Andrew Kroh <[email protected]> Co-authored-by: Mathieu Martin <[email protected]> Co-authored-by: Tudor Golubenco <[email protected]> (cherry picked from commit 3e1b03e)
andrewkroh
added a commit
that referenced
this issue
Oct 24, 2018
* Add Suricata module to Filebeat (#8693) This adds a Filebeat module for ingesting the logs created by Suricata IDS/IPS/NSM. The module collects the logs from the Suricata Eve JSON output (https://suricata.readthedocs.io/en/latest/output/eve/eve-json-format.html). #8153 The module is included in the Elastic licensed Filebeat package. It is considered beta at this stage. It includes two sample dashboards. It uses Elastic Common Schema (ECS) for field naming were applicable, but it has to work-around the conflict with the existing source field in Filebeat. source_ecs holds the data that goes into the ECS source field. This will be rectified in the next major release when we can make a breaking change. The development tooling for the building/testing/packaging of x-pack modules is still a bit of a WIP. So at the moment testing and packaging continues to happen through the OSS filebeat directory. Co-authored-by: Adrian Serrano <[email protected]> Co-authored-by: Andrew Kroh <[email protected]> Co-authored-by: Mathieu Martin <[email protected]> Co-authored-by: Tudor Golubenco <[email protected]> (cherry picked from commit 3e1b03e) * Change url.host.name to url.hostname (#8732) This update the Filebeat Suricata module to use url.hostname instead of url.host.name. * Add fields used by Suricata module Add fields used by Suricata module to fields.yml. Some of these are in ECS. event.type destination.ip destination.port user_agent.original user_agent.device user_agent.version user_agent.major user_agent.minor user_agent.patch user_agent.name user_agent.os.name user_agent.os.full_name (non-ECS) user_agent.os.version user_agent.os.major user_agent.os.minor file.path file.size
|
Pinging @elastic/secops |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is the meta issue to track the task of adding a new Filebeat module that reads the Suricata EVE JSON output.
_meta/). Add Beats compatible fields.yml for ECS ecs#108sourceto?in accordance with ECS. (@adriansr) Append ECS fields to fields.yml #8313this field should be(Is this correct?)source.path.log.sourceto better fit the tcp/syslog inputs.source.ipwith the Filebeat 6.xsourcefield.The text was updated successfully, but these errors were encountered: