No events found - OpenSearch / Filebeat

[opoplawski]

We are shipping suricata events from filebeat -> logstash -> opensearch and preserving the filebeat-* index. I think I've configured everything properly:

database:
  type: elasticsearch
  elasticsearch:
    url: https://FQDN:9200
    index: filebeat
    disable-certificate-check: true
    keyword: ""
    username: logstash
    password: XXX

EVEBOX_OPTS="--host 0.0.0.0 --ecs -v -v"

I'm not seeing any errors/warnings on evebox or opensearch. How can I see what queries are being made?

[jasonish]

Are you using Filebeats Suricata module?

[opoplawski]

No, I'm ingesting the eve.json log:
``
filebeat.inputs:

• type: log
  enabled: true
  paths:
  • /var/log/suricata/*/eve.json
    fields_under_root: true

[jasonish]

Ok, you should probably drop the --ecs argument though as you are likely using the Logstash schema, and not ECS as used by Filebeat's Suricata module.

[opoplawski]

I switched one of our inputs to the suricata module, but still nothing.

[opoplawski]

Restarted evebox again with different elastic user and we seem to be in business now.