evebox
evebox copied to clipboard
Published
20 hours ago •
jasonish
jasonish
Empty error when viewing events
I'm running Evebox 0.16 (Debian package install), and have noticed an error is triggered when when viewing an event. To trigger it, I go to the "Events" top menu entry, then click on an event (from my testings, it seems to trigger on all events):
It seems like it's expecting an event key in the suricata events, are these mandatory ?
The full error stack:
TypeError: t._source.event is undefined
Q1 https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
setupEvent https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
refresh https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
invoke https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
onInvoke https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
invoke https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
run https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
F https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
invokeTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
onInvokeTask https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
invokeTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
runTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
L https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
invokeTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
S https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
D https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
p https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
onScheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
scheduleEventTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
l https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
handle https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
_trySubscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
In https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
_innerSub https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
_tryNext https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
_next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
ns https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
_trySubscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
call https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
call https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
call https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
call https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
toPromise https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
t https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
toPromise https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
getEventById https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
refresh https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
ngOnInit https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
__tryOrUnsub https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
_next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
_subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
_trySubscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
_trySubscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
ngOnInit https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
uy https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
Np https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
cl https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
DF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
TF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
sF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
c_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
detectChanges https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
tick https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
invoke https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
onInvoke https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
invoke https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
run https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
run https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
__tryOrUnsub https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
_next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
emit https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
fb https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
onHasTask https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
hasTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
_updateTaskCount https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
_updateTaskCount https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
runTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
L https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
invokeTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
S https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
D https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
p https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
onScheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
scheduleEventTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
l https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
addEventListener https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
addEventListener https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
listen https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
listen https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
gT https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
Le https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
Lne https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
jM https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
Mv https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
createEmbeddedView https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
createEmbeddedView https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
_applyChanges https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
forEachOperation https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
_applyChanges https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
ngDoCheck https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
uy https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
Np https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
cl https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
DF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
TF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
sF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
main.bed6e979532f53c3.js:1:511275
This looks like you may be using ECS which is still a work in progress? Are you using Filebeat with the Suricata module? If so, can you let me know which version of Filebeat and Elastic you are using?
I'm forwarding data with the file module of filebeat (with Logstash and ES at version 7.17). I didn't do anything special or tried to enable ECS, though i see an ecs.version key in my events.
Does your config look something like https://github.com/jasonish/evebox/wiki/Example-Filebeat-to-Logstash-Configuration?
There are many ways to get the data into Elastic that all result in slightly different schemas, so I need as much detail as possible please.
Yes, the conf is similar to this one. It seems filebeat is actually adding the ecs field, as I can see when taking the suricata json as file input, and use a file output, the ecs field is present. I think the field appeared when I switched from filebeat-oss to filebeat-free version.
Ok. This is a setup I haven't tested recently. Even though ecs might be present, Suricata events are only converted to ecs format when using the Filebeat Suricata module. So make sure you are not providing the --ecs flag to EveBox unless you are using the filebeat Suricata module.
Short of that, this will likely have to wait until I can test this similar setup.
I'm not passing the --ecs flag when running evebox, and don't have option in the yaml file to specify it.