Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dashborad error (some chart) #3

Open
sysmoon opened this issue Jun 12, 2017 · 6 comments
Open

dashborad error (some chart) #3

sysmoon opened this issue Jun 12, 2017 · 6 comments

Comments

@sysmoon
Copy link

sysmoon commented Jun 12, 2017
edited
Loading

hello!
my ELK env is
es/kibana: 5.4.0

after run load.sh when i opened dashboard all chart using ***.raw field as a aggregator is not visible (no results found). index pattern is ok. what wrong?

2017-06-12 3 53 30

2017-06-12 3 56 00
@pevma
Copy link
Member

pevma commented Jun 12, 2017

If this is a fresh/test installation you can try the following -

find /opt/selks/kibana4-dashboards/ -type f -exec sed -i -e 's/\.raw/\.keyword/g' {} \;

then reload the dashboards. Please let us know how it goes.

@sysmoon
Copy link
Author

sysmoon commented Jun 12, 2017
edited
Loading

@hello pevma,
i don't have path like that '/opt/selks/kibana4-dashboards/'
do i miss something?
i just clone KTS5 master branch and run load.sh
and my elk version is all 5.4.0.

my log flow is filebeat(read eve.json) -> logstash -> es

[logstash.conf]


input{

  beats {
    port => 5044
    codec => json
  }
}

filter {

  if [type] == "SELKS" {

    date {
      match => [ "timestamp", "ISO8601" ]
    }

    ruby {
      code => "
        if event.get('[event_type]') == 'fileinfo'
          event.set('[fileinfo][type]', event.get('[fileinfo][magic]').to_s.split(',')[0])
        end
      "
    }

    ruby {
      code => "
        if event.get('[event_type]') == 'alert'
          sp = event.get('[alert][signature]').to_s.split(' group ')
          if (sp.length == 2) and /\A\d+\z/.match(sp[1])
            event.set('[alert][signature]', sp[0])
          end
        end
      "
    }

    metrics {
      meter => [ "eve_insert" ]
      add_tag => "metric"
      flush_interval => 30
    }
  }


  if [http] {
    useragent {
      source => "[http][http_user_agent]"
      target => "[http][user_agent]"
    }
  }


  if [src_ip]  {
    geoip {
      source => "src_ip"
      database => "/etc/logstash/db/GeoIP2-City.mmdb"
      target => "geoip"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }

    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
    }

    if ![geoip.ip] {
      if [dest_ip]  {
        geoip {
          source => "dest_ip"
          target => "geoip"
          database => "/etc/logstash/db/GeoIP2-City.mmdb"
          add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
          add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
        }

        mutate {
          convert => [ "[geoip][coordinates]", "float" ]
        }
      }
    }
  }

  if [dest_ip] {
    if [dest_ip] !~ ":" {
      mutate {
        add_field => [ "[dest_ip4]", "%{dest_ip}" ]
      }
    }
  }
}


output {
  elasticsearch {
    hosts => "localhost"
  }

  if [event_type] and [event_type] not in ['stats', 'engine'] {
    elasticsearch {
      hosts => "localhost"
      index => "logstash-%{event_type}-%{+YYYY.MM.dd}"
    }
  } else {
    elasticsearch {
      hosts => "localhost"
      index => "logstash-%{+YYYY.MM.dd}"
    }
  }
}

@sysmoon
Copy link
Author

sysmoon commented Jun 12, 2017

solve like this.
"find ***/KTS5/dashboards/ -type f -exec sed -i -e 's/.raw/.keyword/g' {} ;"
and dashboard working fine.
but some chart still not visible still. i will find reason ^^

thank you pevma.

@pevma
Copy link
Member

pevma commented Jun 12, 2017

Ok - please keep us posted. Thank you for digging in. Which charts are problematic?

@sysmoon
Copy link
Author

sysmoon commented Jun 13, 2017
edited
Loading

hello pevma.

i summarize the chart with errors.

[SN ALERTS]

  • SN Alert-BySmtpHello
    reason: query error (exist:smtp*)

[SN FILE-Transactions]

  • SN FILE-GeoIPPDFAndExecutables
    reason: geoip.location field is not analyzed

[SN HTTP]

  • SN HTTP-AcceptEncoding (No results displayed because all values equal 0.)
  • SN HTTP-AcceptEncodingByConnection (No results displayed because all values equal 0.)
  • SN HTTP-CacheControl (No results displayed because all values equal 0.)
    reason: there are no index data (http.accept_encoding.keyyword, http.accept_encoding.keyword, http.connection.keyword, http.cache_control.keyword)

[SN VLAN]
all chart is not visible (no results found).
vlan field is not indexed.
as you mentioned i enabled "use-for-tracking: true" in suricata.yml

except chart i wrote above, almost chart working well..
i wanna you to check chart with errors and my logstash.conf.
i think logstash.conf can be a hole..

@pevma
Copy link
Member

pevma commented Jun 13, 2017

@sysmoon - Thanks for the feedback!
I think only the first one is a bug. The lack of data on the other 3 dashboards has to do with no such data being available. Aka if you don't have VLAN tagged traffic - you should not see anything in the VLAN dashboard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pevma @sysmoon