Suricata eve.json input file

Telegraf
1

Hello,

I’m trying to get the json from suricata eve.json file into influxdb.
I can’t found how to make it work.

I’m using : JSON input data format | Telegraf 1.15 Documentation
######This is my error :
telegraf[25743]: 2020-10-13T10:49:01Z E! [inputs.file] Error in plugin: invalid character ‘{’ after top-level value

#####My configuration
[[inputs.file]]
files = [“/var/log/suricata/eve.json”]
data_format = “json”
json_query = “”
tag_keys = [
“ids”
]
json_string_fields =
json_name_key = “”
json_time_key = “”
json_time_format = “2006-01-02T15:04:05Z07:00”

And this is some exemple of the logs

{“timestamp”:“2020-10-13T12:58:24.147503+0200”,“flow_id”:1725062989050064,“in_iface”:“ens256”,“event_type”:“flow”,“vlan”:[123],“src_ip”:“1.1.1.1”,“src_port”:33031,“dest_ip”:“2.2.2.2”,“dest_port”:53,“proto”:“UDP”,“app_proto”:“dns”,“flow”:{“pkts_toserver”:1,“pkts_toclient”:1,“bytes_toserver”:88,“bytes_toclient”:905,“start”:“2020-10-13T12:51:25.815312+0200”,“end”:“2020-10-13T12:51:25.974559+0200”,“age”:0,“state”:“established”,“reason”:“unknown”,“alerted”:false},“community_id”:“1:q2HBJLLLZs/6KeeWi0JoV/xFdBo=”}

Another :

{“timestamp”:“2020-10-13T12:52:29.524846+0200”,“flow_id”:886715040085354,“in_iface”:“ens256”,“event_type”:“smb”,“vlan”:[123],“src_ip”:“1.1.1.1”,“src_port”:55941,“dest_ip”:“2.2.2.2”,“dest_port”:445,“proto”:“TCP”,“smb”:{“id”:88,“dialect”:“2.02”,“command”:“SMB2_COMMAND_TREE_DISCONNECT”,“status”:“STATUS_SUCCESS”,“status_code”:“0x0”,“session_id”:1921664783,“tree_id”:1025540562},“community_id”:“1:uFcPUO+KTRhUEH68URd54jNQmv4=”}
{“timestamp”:“2020-10-13T12:52:34.852475+0200”,“flow_id”:886715040085354,“in_iface”:“ens256”,“event_type”:“smb”,“vlan”:[123],“src_ip”:“1.1.1.1”,“src_port”:55941,“dest_ip”:“2.2.2.2”,“dest_port”:445,“proto”:“TCP”,“smb”:{“id”:87,“dialect”:“2.02”,“command”:“SMB2_COMMAND_READ”,“status”:“STATUS_SUCCESS”,“status_code”:“0x0”,“session_id”:1921664783,“tree_id”:1516891187,“filename”:“GoogleDriveblabla.txt”,“share”:“\\2.2.2.2\Data”,“fuid”:“08348f96-0000-0000-a3c6-f0f000000000”},“community_id”:“1:uFcPUO+KTRhUEH68URd54jNQmv4=”}

2

Hello @Luis1,
Welcome! You need to specify your time_key = “timestamp”. You also might want to specify your tags, it looks like maybe “event_type”, “proto”, “app_proto” at some of your tag keys? Otherwise they’ll all be converted to fields.

I also recommend setting debug=true in the agent part of your telegraf config.

3

Hi @Anaisdg thank you, i’m trying, but no success for now ^^.

4

Hello @Luis1,
Can you share your telegraf logs and your new config file please?

5

Hello,

Sorry i have use another way to do this. :slight_smile:

This is my final product : GitHub - b4b857f6ee/selks_grafana_dashboard: Grafana Dashboards for SELKS

Thank you for your time

1 Like
6

You can’t just assume something will use newline-delimited JSON if it doesn’t say it does.

“The file plugin parses the complete contents of a file every interval using the selected input data format.”

Probably use the tail plugin instead, if you want to have it parse newly appended lines only, and go line by line.

7 
[[inputs.tail]]
  data_format = "json"
  files = ["/var/log/suricata/eve.json"]
  name_override = "suricata"
# tag_keys = ["event_type","src_ip","src_port","dest_ip","dest_port"]
  tag_keys = ["in_iface","event_type","src_ip","src_port","dest_ip","dest_port","proto","alert.signature","alert.category","alert.signature_severity"]
# json_string_fields = ["*"]
  json_time_key = "timestamp"
  json_time_format = "2006-01-02T15:04:05-0700"