robcowart/synesis_lite_suricata

Logstash error: "Error interpreting the template of the input - range can't iterate over /.../eve.json"

phobos-dthorga opened this issue · 5 comments

phobos-dthorga commented

We at GekkoFyre Networks are receiving an error with Logstash about the following and cannot proceed any further as a result:

2020-01-07T22:53:57.506+1100    INFO    [monitoring]    log/log.go:154  Uptime: 3.029140895s
2020-01-07T22:53:57.506+1100    INFO    [monitoring]    log/log.go:131  Stopping metrics logging.
2020-01-07T22:53:57.506+1100    INFO    instance/beat.go:435    filebeat stopped.
2020-01-07T22:53:57.506+1100    ERROR   instance/beat.go:916    Exiting: Error getting config for fileset suricata/eve: Error interpreting the template of the input: template: text:3:22: executing "text" at <.paths>: range can't iterate over /var/log/suricata/eve.json
Exiting: Error getting config for fileset suricata/eve: Error interpreting the template of the input: template: text:3:22: executing "text" at <.paths>: range can't iterate over /var/log/suricata/eve.json
[root@barker ~]#

Everything else works fine, otherwise, and this includes Filebeat, Metricbeat, Packetbeat, ElasticSearch, Kibana, and Heartbeat, for a cluster of about a dozen servers (including several of both VPS' and dedicated servers each).

We're not sure why we are receiving this error, but would appreciate any and all advice on how to proceed from here, thank you.

phobos-dthorga commented

Hello again!

I was able to solve the aforementioned error, although not sure how, but I am now greeted by the following problem as visually displayed in a screenshot below. I'm unable to create the required indexes as a result of this monstrous error.

The version of ElasticSearch we are using is the following:

root@metrics:~# elasticsearch -V
Version: 7.5.1, Build: default/deb/3ae9ac9a93c95bd0cdc054951cf95d88e1e18d96/2019-12-16T22:57:37.835892Z, JVM: 13.0.1
root@metrics:~#

screencapture-metrics-gekkofyre-io-8443-kibana-s-gk-sys-metrics-app-kibana-2020-01-08-01_21_38

Thank you for your time, we appreciate any and all help.

robcowart commented

Sorry, but the solution has not yet been tested against or updated to support 7.5.x. It will probably be closer to the end of the month before I can get to it.

phobos-dthorga commented

Hello @robcowart,

Thank you kindly, please keep us updated as to the progress you are making towards support for 7.5.x! :)

Tchek14 commented

HI,

i have the same problem with elasticsearch 7.8.0 and filebeat 7.8.0. Do you have a workaround please ?

robcowart commented

This project will not be updated for more recent releases of the Elastic Stack.