Suricata

Not yet sure where the problem is, but there is an issue with getting our json into logstash.

When using logstash-forwarder (formerly lumberjack), the tool adds a field "file", which contains the location of the log file it reads from:

"file": "/var/log/suricata/eve.json",

This then masks Suricata's 'file' section. So this appears to be a name space issue of some kind. After talking on #logstash (irc) I've reported in their bugtracker: https://logstash.jira.com/browse/LOGSTASH-1970
See also https://gist.github.com/inliniac/9399885

This may not be a Suricata issue, but we could work around it by choosing a different name for 'file'. However with other logstash transports other clashes may occur.