-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat] Field aliases yield confusing Kibana Discovery results #10535
Comments
Pinging @elastic/secops |
But this kind of usage of aliases is to help migration from old schemas to the new ECS-centric schema. Is this a problem across the board, for example with fields such as |
I tried this out with the apache Filebeat module and Here a screenshot of an event: |
@andrewkroh Just noticed one difference in my tests: I tested against KB 7.0.0 Snapshot. Thought worth mentioning in case it makes a difference. |
Found in 7.0.0-SNAPSHOT Loaded vanilla nginx logs into a clean instance and see the following fields in Discover which I don't think should be there. Possibly not a kibana problem as the following return hits despite there not being any
|
I'm seeing this |
We are using filebeat 7.3.0 on our Kubernetes cluster and noticed the "suricata.eve.timestamp" field popping up on every event. Did a bit of digging up and found that the field is set on the filebeat template; under suricata properties; as an alias to field @timestamp (line 3899). "timestamp": { Rectified the problem by removing those particular lines of code in the template and rolled over the index to a new one. |
@Jimmy-Singh How exactly did you do this? You had to export the template or something first? What steps / commands can I run to do the same that you did? |
You will have to modify the filebeat template; you can do so by exporting -> modifying -> import via CURL or by using the GET/PUT template API via the kibana dev tool ( https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html ). Make sure to rollover the index after that ( https://www.elastic.co/guide/en/elasticsearch/reference/7.6/indices-rollover-index.html ) |
@andrewkroh Even in 7.8.1 this is still in the template? Is there any technical reason why removal of |
It hasn't been changed because it would be a breaking change to remove the field, but I think the bugfix justifies the breaking change and we should remove it. |
Remove the suricata.eve.timestamp alias field from the Suricata module. This is a breaking change for anything that we dependent upon the field, but its presence caused issue in Kibana since it was always displayed in Discover. Fixes elastic#10535
Remove the suricata.eve.timestamp alias field from the Suricata module. This is a breaking change for anything that we dependent upon the field, but its presence caused issue in Kibana since it was always displayed in Discover. Fixes #10535
Remove the suricata.eve.timestamp alias field from the Suricata module. This is a breaking change for anything that we dependent upon the field, but its presence caused issue in Kibana since it was always displayed in Discover. Fixes elastic#10535 (cherry picked from commit daed8f9)
We updated to 7.12 and suricate.eve.timestamp is gone but now we started to see lots of other suricata fields (and we don't use suricata) i.e (and also other fields like traefik.access.user_agent.original which we also don't use) Are those also related to to aliases? Sorry for commenting on a closed issue, let me know it should open a new. |
Something must have changed in Kibana to give the same behavior we saw with |
I've opened a PR to remove all of the Suricata alias fields. #26627 |
I found only one more non-migration alias (aka one that's present in all mappings) that points to an ECS fields. That was |
Alias fields are displayed in Kibana whenever their target exists in a document. This yields confusing results when, for example, you are looking at Zeek module events but see many `suricata.eve.*` fields just because Zeek populates many ECS fields. This is a breaking change for users that depend on the Suricata alias fields. Because these alias cause issues for all users I think it best to remove them. The following alias fields are removed: suricata.eve.fileinfo.filename suricata.eve.fileinfo.size suricata.eve.dest_port suricata.eve.src_port suricata.eve.proto suricata.eve.src_ip suricata.eve.dest_ip suricata.eve.http.status suricata.eve.http.http_user_agent suricata.eve.http.http_refer suricata.eve.http.url suricata.eve.http.hostname suricata.eve.http.http_refer suricata.eve.http.url suricata.eve.http.hostname suricata.eve.http.length suricata.eve.http.http_method suricata.eve.alert.severity suricata.eve.alert.action suricata.eve.flow.bytes_toclient suricata.eve.flow.start suricata.eve.flow.pkts_toclient suricata.eve.flow.bytes_toserver suricata.eve.flow.pkts_toserver suricata.eve.app_proto traefik.access.user_agent.device Relates: elastic#10535
…ngs (#26627) * Remove alias fields from Suricata/Traefik module mappings Alias fields are displayed in Kibana whenever their target exists in a document. This yields confusing results when, for example, you are looking at Zeek module events but see many `suricata.eve.*` fields just because Zeek populates many ECS fields. This is a breaking change for users that depend on the Suricata alias fields. Because these alias cause issues for all users I think it best to remove them. The following alias fields are removed: suricata.eve.fileinfo.filename suricata.eve.fileinfo.size suricata.eve.dest_port suricata.eve.src_port suricata.eve.proto suricata.eve.src_ip suricata.eve.dest_ip suricata.eve.http.status suricata.eve.http.http_user_agent suricata.eve.http.http_refer suricata.eve.http.url suricata.eve.http.hostname suricata.eve.http.http_refer suricata.eve.http.url suricata.eve.http.hostname suricata.eve.http.length suricata.eve.http.http_method suricata.eve.alert.severity suricata.eve.alert.action suricata.eve.flow.bytes_toclient suricata.eve.flow.start suricata.eve.flow.pkts_toclient suricata.eve.flow.bytes_toserver suricata.eve.flow.pkts_toserver suricata.eve.app_proto traefik.access.user_agent.device Relates: #10535 * Fix changelog
…ngs (#26627) * Remove alias fields from Suricata/Traefik module mappings Alias fields are displayed in Kibana whenever their target exists in a document. This yields confusing results when, for example, you are looking at Zeek module events but see many `suricata.eve.*` fields just because Zeek populates many ECS fields. This is a breaking change for users that depend on the Suricata alias fields. Because these alias cause issues for all users I think it best to remove them. The following alias fields are removed: suricata.eve.fileinfo.filename suricata.eve.fileinfo.size suricata.eve.dest_port suricata.eve.src_port suricata.eve.proto suricata.eve.src_ip suricata.eve.dest_ip suricata.eve.http.status suricata.eve.http.http_user_agent suricata.eve.http.http_refer suricata.eve.http.url suricata.eve.http.hostname suricata.eve.http.http_refer suricata.eve.http.url suricata.eve.http.hostname suricata.eve.http.length suricata.eve.http.http_method suricata.eve.alert.severity suricata.eve.alert.action suricata.eve.flow.bytes_toclient suricata.eve.flow.start suricata.eve.flow.pkts_toclient suricata.eve.flow.bytes_toserver suricata.eve.flow.pkts_toserver suricata.eve.app_proto traefik.access.user_agent.device Relates: #10535 * Fix changelog (cherry picked from commit 877ae2c)
…ngs (#26627) (#26896) * Remove alias fields from Suricata/Traefik module mappings Alias fields are displayed in Kibana whenever their target exists in a document. This yields confusing results when, for example, you are looking at Zeek module events but see many `suricata.eve.*` fields just because Zeek populates many ECS fields. This is a breaking change for users that depend on the Suricata alias fields. Because these alias cause issues for all users I think it best to remove them. The following alias fields are removed: suricata.eve.fileinfo.filename suricata.eve.fileinfo.size suricata.eve.dest_port suricata.eve.src_port suricata.eve.proto suricata.eve.src_ip suricata.eve.dest_ip suricata.eve.http.status suricata.eve.http.http_user_agent suricata.eve.http.http_refer suricata.eve.http.url suricata.eve.http.hostname suricata.eve.http.http_refer suricata.eve.http.url suricata.eve.http.hostname suricata.eve.http.length suricata.eve.http.http_method suricata.eve.alert.severity suricata.eve.alert.action suricata.eve.flow.bytes_toclient suricata.eve.flow.start suricata.eve.flow.pkts_toclient suricata.eve.flow.bytes_toserver suricata.eve.flow.pkts_toserver suricata.eve.app_proto traefik.access.user_agent.device Relates: #10535 * Fix changelog (cherry picked from commit 877ae2c) Co-authored-by: Andrew Kroh <[email protected]>
Hi! We're labeling this issue as |
👍 |
Hi! We're labeling this issue as |
🦖 |
👍 |
@andrewkroh We have seen an issue wherein a user reported seeing these |
The commit from the backport PR appears in releases >= v7.15.0 so the suricata aliases should not be present in index templates from those builds.
You can see what aliases are present in the index template by exporting it:
I checked 7.17 and there are no suricata alias fields. |
Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices) |
When browsing the Kibana Discover tab I noticed that
suricata.eve.timestamp
andsuricata.eve.flow.start
were present for events that were NOT from Suricata. It's somewhat misleading to have thesuricata.*
fields rendered when it's not a suricata event.These fields are not in the
_source
. They are aliases pointing to@timestamp
andevent.start
, respectively, which did happen to exist in the events that I was browsing.beats/x-pack/filebeat/module/suricata/eve/_meta/fields.yml
Lines 180 to 182 in e4686d0
beats/x-pack/filebeat/module/suricata/eve/_meta/fields.yml
Lines 679 to 681 in e4686d0
History
These aliases were added (#10377) in order to avoid duplicating data storage in an event while still maintaining the original suricata EVE JSON structure.
Possible Solutions
_source
.suricata.*
fields that renamed to an ECS field. Users familiar with the original EVE format might be a little lost until they learn ECS.Version: Filebeat 7.0.0 / Kibana 6.6.0
The text was updated successfully, but these errors were encountered: