stamusnetworks / kts6 Goto Github PK

Dear all, I am using this KTS6, but unable to display the dashboards. Together with Synesis plugin. Anyone encountered this issue before? https://github.com/robcowart/synesis_lite_suricata#environment-variable-reference

Get lots of:

``
logstash[20807]: [2019-01-25T15:27:15,753][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-dns-2019.01.25", :_type=>"doc", :routing=>nil}, #LogStash::Event:0x65e65681], :response=>{"index"=>{"_index"=>"logstash-dns-2019.01.25", "_type"=>"doc", "_id"=>"gy1Wh2gBNsyAfm1OvkqE", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [host] of type [text]", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:939"}}}}}

This seems to be because beats now use "host.ip"/"host.name" and so forth now - https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-6.3.html

Hello!
First of all I want to say thank you for dashboards.
But I have problem with map : no any point on map and error :

I've tried reindex, but it did not help.

This is an issue with the toLowerCase() method when applied to null values on the doc.

• In my Windows instance, running elasticsearch in cmd for testing, it would cause the service to lock up... may not be an issue once I actually convert it to a windows service, but this is causing me to have to reset the service to continue testing.

Caused by: java.lang.NullPointerException
at org.elasticsearch.painless.DefBootstrap$PIC.checkClass(DefBootstrap.java:143) ~[?:?]
at org.elasticsearch.painless.PainlessScript$Script.execute('ip == ' + doc['src_ip.keyword'].value + ' && ...:223) ~[?:?]

The issue is in the FPC script to generate the URL. Would be a good idea to perform a null check on this value before attempting to generate the URL... I made the assumption that if the protocol is not available, you may not want a URL generated...

• feel free to revise according to the required logic. I am still new to all this so I am not sure what the FPC url is for.

if(doc['proto.keyword'].value != null){
'ip == ' + doc['src_ip.keyword'].value + ' &&
port == ' + doc['src_port'].value + ' &&
ip == ' + doc['dest_ip.keyword'].value + ' &&
port == ' + doc['dest_port'].value + ' &&
protocols == ' + doc['proto.keyword'].value.toLowerCase()}

Hello,

All dashboards have a timeFrom setting of 24h but dashboard:SN-TLS.json has a "timeFrom":"now-6M", six months. Could you please also make this 24h?
I always modify this setting before importing the dashboards (saves some load on the ELK node), but missed this one.

$ sed -i 's/now-24h/now-1h/g' dashboards/dashboard/* && ./load.sh

Cheers,
Andre

No so painless! Using ELK stack 6.6.2. It appears that there is no field found for [flow_id]. How do I fix this?

Error with Painless scripted field 'doc['flow_id'].value'.
You can address this error by editing the 'doc['flow_id'].value' field in Management > Index Patterns, under the “Scripted fields” tab.

Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"script_exception","reason":"runtime error","script_stack":["org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:81)","org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:39)","doc['flow_id'].value"," ^---- HERE"],"script":"doc['flow_id'].value","lang":"painless"},{"type":"script_exception","reason":"runtime error","script_stack":["org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:81)","org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:39)","doc['flow_id'].value"," ^---- HERE"],"script":"doc['flow_id'].value","lang":"painless"}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"fetch","grouped":true,"failed_shards":[{"shard":0,"index":"logstash-2019.06.17","node":"K0F17p4EQhWowyI734jOow","reason":{"type":"script_exception","reason":"runtime error","script_stack":["org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:81)","org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:39)","doc['flow_id'].value"," ^---- HERE"],"script":"doc['flow_id'].value","lang":"painless","caused_by":{"type":"illegal_argument_exception","reason":"No field found for [flow_id] in mapping with types []"}}},{"shard":0,"index":"logstash-web","node":"BnnohOHRT6aYovWy1SHIFg","reason":{"type":"script_exception","reason":"runtime error","script_stack":["org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:81)","org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:39)","doc['flow_id'].value"," ^---- HERE"],"script":"doc['flow_id'].value","lang":"painless","caused_by":{"type":"illegal_argument_exception","reason":"No field found for [flow_id] in mapping with types []"}}}]},"status":500}

How are Suricata and Kibana Dashboard connected?
Because Kibana Dashboard does not display any graph

Hi,

Moloch can only be reached via http://localhost/moloch and not via http://localhost/app/moloch, despite the NGINX configuration specifying /app/moloch. When visiting /app/moloch you need to provide your credentials again, after which you'll receive the message "Bad Request". When visiting /moloch, everything works well.

In Kibana Discover, the FPC link in a network packet points to /app/moloch instead of /moloch, resulting in this error. Either move Moloch to /app/moloch, or alter the link in Kibana to point to /moloch.

I'm not sure why Moloch even runs on /moloch instead of /app/moloch, maybe that is the real bug, which is why I haven't committed a pull request.

Jeroen

Hi Selks Team,

Dashboards and Visulisation KTS6 not supported on Kibana 7"
"Sorry, there was an error
Saved objects file format is invalid and cannot be imported"

any advice how to solve this issue?

Thank you.

I've been running the dashboards without issue so the following does not make sense. Upon re-initiating a docker stack, logging into the kibana container and then executing ./load.sh http://suricata_elasticsearch:9300 (suricata_elasitcsearch is the docker container domain name in the stack) the following error occurs. "This is not an HTTP port+ echo" for every object and the dashboards, index, etc. do not get loaded. I'm able to connect to http://:9300 externally via tools such as the Google tool Elasticsearch Head.

What am I doing wrong/

• for file in '$DIR/dashboard/*.json'
  ++ get_name dashboards/dashboard/dashboard:SN-VLAN.json
  ++ basename dashboards/dashboard/dashboard:SN-VLAN.json .json
  ++ sed -e 's/ /%20/g'
• name=dashboard:SN-VLAN
• echo 'Loading dashboard dashboard:SN-VLAN:'
  Loading dashboard dashboard:SN-VLAN:
• curl -H 'Content-Type: application/json' -XPUT http://suricata_elasticsearch:9300/.kibana/doc/dashboard:SN-VLAN -d @dashboards/dashboard/dashboard:SN-VLAN.json
  This is not an HTTP port+ echo

Hello,
Just upgraded from ELK 5.6 to ELK 6.4, running already Suricata 4.1rc1 and loaded the KTS6 dashboards and all seems well and dashboards are really looking good. Great job and much appreciated!
Do you advise to perform a reindex on the migrated E data?
Cheers,
Andre

Received the following error in Kibana: "Could not locate that index-pattern (id: logstash-*), click here to re-create it"

Note, there is nothing to click and the index does exist. There are events in Discover filtered on that index.