Bug #1127
closedlogstash & suricata parsing issue
Description
Not yet sure where the problem is, but there is an issue with getting our json into logstash.
When using logstash-forwarder (formerly lumberjack), the tool adds a field "file", which contains the location of the log file it reads from:
"file": "/var/log/suricata/eve.json",
This then masks Suricata's 'file' section. So this appears to be a name space issue of some kind. After talking on #logstash (irc) I've reported in their bugtracker: https://logstash.jira.com/browse/LOGSTASH-1970
See also https://gist.github.com/inliniac/9399885
This may not be a Suricata issue, but we could work around it by choosing a different name for 'file'. However with other logstash transports other clashes may occur.
Updated by Peter Manev over 10 years ago
Is this occurring only when using the logstash forwarder?
I do not have the same problem when using it locally. Just confirming it is only a "forwarder" issue.
Updated by Victor Julien over 10 years ago
It appears that when logstash reads in the file directly, it makes the file name available through the 'path' name instead of 'file'. This doesn't clash with our input. I do believe our message should be put in a "@message" 'container' in logstash, but in neither the direct or logstash-forwarder case this appears to be happening.
Updated by Victor Julien over 10 years ago
- Status changed from New to Closed
- Assignee set to Victor Julien
- Target version set to 2.0rc3
- % Done changed from 0 to 100
Work around added through: https://github.com/inliniac/suricata/pull/885, https://github.com/inliniac/suricata/pull/886