Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Empty error when viewing events #241

Open
biolds opened this issue Jan 12, 2023 · 6 comments
Open

Empty error when viewing events #241

biolds opened this issue Jan 12, 2023 · 6 comments

Comments

@biolds
Copy link

biolds commented Jan 12, 2023

I'm running Evebox 0.16 (Debian package install), and have noticed an error is triggered when when viewing an event. To trigger it, I go to the "Events" top menu entry, then click on an event (from my testings, it seems to trigger on all events):

evebox

It seems like it's expecting an event key in the suricata events, are these mandatory ?

The full error stack:

TypeError: t._source.event is undefined
    Q1 https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    setupEvent https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    refresh https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    invoke https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    onInvoke https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    invoke https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    run https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    F https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    invokeTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    onInvokeTask https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    invokeTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    runTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    L https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    invokeTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    S https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    D https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    p https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    onScheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleEventTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    l https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    handle https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _trySubscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    In https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _innerSub https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _tryNext https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    ns https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _trySubscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    call https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    call https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    call https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    call https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    toPromise https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    t https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    toPromise https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    getEventById https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    refresh https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    ngOnInit https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    __tryOrUnsub https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _trySubscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _trySubscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    subscribe https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    ngOnInit https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    uy https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    Np https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    cl https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    DF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    TF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    sF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    c_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    detectChanges https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    tick https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    invoke https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    onInvoke https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    invoke https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    run https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    run https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    __tryOrUnsub https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    next https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    emit https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    fb https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    onHasTask https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    hasTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    _updateTaskCount https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    _updateTaskCount https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    runTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    L https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    invokeTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    S https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    D https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    p https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    onScheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    scheduleEventTask https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    l https://10.136.0.85/evebox/polyfills.fe7f0762a3a47c57.js:1
    addEventListener https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    addEventListener https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    listen https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    listen https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    gT https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    Le https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    Lne https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    jM https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    Mv https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    createEmbeddedView https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    createEmbeddedView https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _applyChanges https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    forEachOperation https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    _applyChanges https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    ngDoCheck https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    uy https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    Np https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    cl https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    DF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    a_ https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    TF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
    sF https://10.136.0.85/evebox/main.bed6e979532f53c3.js:1
main.bed6e979532f53c3.js:1:511275
@jasonish
Copy link
Owner

This looks like you may be using ECS which is still a work in progress? Are you using Filebeat with the Suricata module? If so, can you let me know which version of Filebeat and Elastic you are using?

@biolds
Copy link
Author

biolds commented Jan 13, 2023

I'm forwarding data with the file module of filebeat (with Logstash and ES at version 7.17). I didn't do anything special or tried to enable ECS, though i see an ecs.version key in my events.

@jasonish
Copy link
Owner

Does your config look something like https://github.com/jasonish/evebox/wiki/Example-Filebeat-to-Logstash-Configuration?

There are many ways to get the data into Elastic that all result in slightly different schemas, so I need as much detail as possible please.

@biolds
Copy link
Author

biolds commented Jan 16, 2023
edited

Yes, the conf is similar to this one. It seems filebeat is actually adding the ecs field, as I can see when taking the suricata json as file input, and use a file output, the ecs field is present. I think the field appeared when I switched from filebeat-oss to filebeat-free version.

@jasonish
Copy link
Owner

Ok. This is a setup I haven't tested recently. Even though ecs might be present, Suricata events are only converted to ecs format when using the Filebeat Suricata module. So make sure you are not providing the --ecs flag to EveBox unless you are using the filebeat Suricata module.

Short of that, this will likely have to wait until I can test this similar setup.

@biolds
Copy link
Author

biolds commented Jan 17, 2023
edited

I'm not passing the --ecs flag when running evebox, and don't have option in the yaml file to specify it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jasonish @biolds