Problem Importing Suricata Index Pattern to Kibana
netmerchant opened this issue · 1 comments
Hello all. I have been following the installation guide, but I am having problems After Step 9 when Setting Up Kibana. I have not been able to import in the Index Patterns correctly.
My system -- I am using ELK 6.7.2 with Filebeat and with Suricata 4.1.4 on Ubuntu 18.04 and installed on a VPS with a public IP address. I can access the kibana UI by just putting in my fully qualified domain name (no port 5601 needed) and it prompts for a username and password to bring up the page.
When I run the curl command and use my username and password along with the FQN with the port and the path to my synlite_suricata.index_pattern.json and synlite_suricata_stats.index_pattern.json files, I get an error message that "failed to connect - connection timed out". I have also tried it leaving out the username and password from the curl command.
When I removed the port from the URL path in the curl command, I get the following output:
<title>301 Moved Permanently</title>301 Moved Permanently
nginx/1.14.0 (Ubuntu)
Then when I tried to import the synlite_suricata.dashboards.json using the Kibana UI - Management - Saved Objects import section, I got an error message
"Index Pattern Conflicts
The following saved objects use index patterns that do not exist. Please select the index patterns you'd like re-associated with them. You can create a new index pattern if necessary
suricata-*"
Here is one of the errors that shows up in the /var/log/logstash/logstash-plain.log
Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"suricata-1.0.1-2019.05.14", :_type=>"doc", :routing=>nil}, #LogStash::Event:0x2165f318], :response=>{"index"=>{"_index"=>"suricata-1.0.1-2019.05.14", "_type"=>"doc", "_id"=>"bWqJt2oBfxlZ2agOhqWc", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [event.host] of type [keyword] in document with id 'bWqJt2oBfxlZ2agOhqWc'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:685"}}}}}
Is there another way to bring in the Index Patterns for suricata to Kibana?
Can anyone provide me a solution or if I need to provide any other information to help troubleshoot?
Thank you.