Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Field aliases yield confusing Kibana Discovery results #10535

Open
andrewkroh opened this issue Feb 4, 2019 · 24 comments · Fixed by #22095
Open

[Filebeat] Field aliases yield confusing Kibana Discovery results #10535

andrewkroh opened this issue Feb 4, 2019 · 24 comments · Fixed by #22095
Labels
bug Filebeat Filebeat Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution

Comments

@andrewkroh
Copy link
Member

andrewkroh commented Feb 4, 2019

When browsing the Kibana Discover tab I noticed that suricata.eve.timestamp and suricata.eve.flow.start were present for events that were NOT from Suricata. It's somewhat misleading to have the suricata.* fields rendered when it's not a suricata event.

screen shot 2019-02-04 at 9 24 30 am

These fields are not in the _source. They are aliases pointing to @timestamp and event.start, respectively, which did happen to exist in the events that I was browsing.

History

These aliases were added (#10377) in order to avoid duplicating data storage in an event while still maintaining the original suricata EVE JSON structure.

Possible Solutions

  • Remove the aliases and duplicate the data within _source.
  • Remove the aliases and remove the suricata.* fields that renamed to an ECS field. Users familiar with the original EVE format might be a little lost until they learn ECS.
  • Ideas?

Version: Filebeat 7.0.0 / Kibana 6.6.0

@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

@andrewkroh andrewkroh changed the title [Filebeat] Many-to-One field aliases yield confusing Kibana Discovery results [Filebeat] Field aliases yield confusing Kibana Discovery results Feb 4, 2019
@webmat
Copy link
Contributor

webmat commented Feb 4, 2019

But this kind of usage of aliases is to help migration from old schemas to the new ECS-centric schema. Is this a problem across the board, for example with fields such as source.address?

@ruflin
Copy link
Contributor

ruflin commented Feb 4, 2019

I tried this out with the apache Filebeat module and -E migration.enabled which means all aliases for nginx, apache etc. are loaded. Looking at the event, I don't see also the alias fields. It seems the above only applies to date values? I'm not sure what the logic here is on the Kibana side.

Here a screenshot of an event:

screenshot 2019-02-04 at 20 34 55

@ruflin
Copy link
Contributor

ruflin commented Feb 4, 2019

@andrewkroh Just noticed one difference in my tests: I tested against KB 7.0.0 Snapshot. Thought worth mentioning in case it makes a difference.

@sophiec20
Copy link
Contributor

sophiec20 commented Feb 27, 2019

Found in 7.0.0-SNAPSHOT { "build" : { "hash" : "a90fcf0", "date" : "2019-02-20T18:17:35.110454Z" },

Loaded vanilla nginx logs into a clean instance and see the following fields in Discover which I don't think should be there.

image

Possibly not a kibana problem as the following return hits despite there not being any suricata data.

GET filebeat-*/_search
{
    "query": {
        "exists" : { "field" : "suricata.eve.timestamp" }
    }
}

@willemdh
Copy link

I'm seeing this suricata.eve.timestamp field in several datasets that have nothing to do with suricata.. (also we are not using suricata anywhere) Glad I found this issue, is there any plan to get rid of it?

@Jimmy-Singh
Copy link

Jimmy-Singh commented Oct 3, 2019

We are using filebeat 7.3.0 on our Kubernetes cluster and noticed the "suricata.eve.timestamp" field popping up on every event. Did a bit of digging up and found that the field is set on the filebeat template; under suricata properties; as an alias to field @timestamp (line 3899).

"timestamp": {
"path": "@timestamp",
"type": "alias"
}

Rectified the problem by removing those particular lines of code in the template and rolled over the index to a new one.

@J7mbo
Copy link

J7mbo commented Feb 25, 2020

@Jimmy-Singh How exactly did you do this? You had to export the template or something first? What steps / commands can I run to do the same that you did?

@Jimmy-Singh
Copy link

You will have to modify the filebeat template; you can do so by exporting -> modifying -> import via CURL or by using the GET/PUT template API via the kibana dev tool ( https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html ).

Make sure to rollover the index after that ( https://www.elastic.co/guide/en/elasticsearch/reference/7.6/indices-rollover-index.html )

@willemdh
Copy link

willemdh commented May 10, 2020

Why is this still in the latest beats templates?

image

It's very confusing for some users to see this in every filebeat source..

@willemdh
Copy link

willemdh commented Aug 3, 2020

@andrewkroh Even in 7.8.1 this is still in the template? Is there any technical reason why removal of "suricata.eve.timestamp" takes so much time? The number of times I had to explain this...

@andrewkroh
Copy link
Member Author

It hasn't been changed because it would be a breaking change to remove the field, but I think the bugfix justifies the breaking change and we should remove it.

andrewkroh added a commit to andrewkroh/beats that referenced this issue Oct 22, 2020
Remove the suricata.eve.timestamp alias field from the Suricata module.

This is a breaking change for anything that we dependent upon the field, but its
presence caused issue in Kibana since it was always displayed in Discover.

Fixes elastic#10535
andrewkroh added a commit that referenced this issue Oct 22, 2020
Remove the suricata.eve.timestamp alias field from the Suricata module.

This is a breaking change for anything that we dependent upon the field, but its
presence caused issue in Kibana since it was always displayed in Discover.

Fixes #10535
andrewkroh added a commit to andrewkroh/beats that referenced this issue Oct 22, 2020
Remove the suricata.eve.timestamp alias field from the Suricata module.

This is a breaking change for anything that we dependent upon the field, but its
presence caused issue in Kibana since it was always displayed in Discover.

Fixes elastic#10535

(cherry picked from commit daed8f9)
andrewkroh added a commit that referenced this issue Oct 27, 2020
Remove the suricata.eve.timestamp alias field from the Suricata module.

This is a breaking change for anything that we dependent upon the field, but its
presence caused issue in Kibana since it was always displayed in Discover.

Fixes #10535

(cherry picked from commit daed8f9)
@johanhammar
Copy link

We updated to 7.12 and suricate.eve.timestamp is gone but now we started to see lots of other suricata fields (and we don't use suricata)

i.e
suricata.eve.http.http_method
suricata.eve.http.http_user_agent
suricata.eve.http.length
suricata.eve.http.status

(and also other fields like traefik.access.user_agent.original which we also don't use)

Are those also related to to aliases?

Sorry for commenting on a closed issue, let me know it should open a new.

@andrewkroh andrewkroh reopened this Mar 29, 2021
@andrewkroh
Copy link
Member Author

Something must have changed in Kibana to give the same behavior we saw with date types to other types. I'm in favor of removing those aliases from the Suricata module.

@andrewkroh
Copy link
Member Author

I've opened a PR to remove all of the Suricata alias fields. #26627

@andrewkroh
Copy link
Member Author

I found only one more non-migration alias (aka one that's present in all mappings) that points to an ECS fields. That was traefik.access.user_agent.device. I think I'll remove that too while I'm making breaking changes.

andrewkroh added a commit to andrewkroh/beats that referenced this issue Jul 12, 2021
Alias fields are displayed in Kibana whenever their target exists in a document. This yields
confusing results when, for example, you are looking at Zeek module events but see many
`suricata.eve.*` fields just because Zeek populates many ECS fields.

This is a breaking change for users that depend on the Suricata alias fields. Because these
alias cause issues for all users I think it best to remove them.

The following alias fields are removed:

suricata.eve.fileinfo.filename
suricata.eve.fileinfo.size
suricata.eve.dest_port
suricata.eve.src_port
suricata.eve.proto
suricata.eve.src_ip
suricata.eve.dest_ip
suricata.eve.http.status
suricata.eve.http.http_user_agent
suricata.eve.http.http_refer
suricata.eve.http.url
suricata.eve.http.hostname
suricata.eve.http.http_refer
suricata.eve.http.url
suricata.eve.http.hostname
suricata.eve.http.length
suricata.eve.http.http_method
suricata.eve.alert.severity
suricata.eve.alert.action
suricata.eve.flow.bytes_toclient
suricata.eve.flow.start
suricata.eve.flow.pkts_toclient
suricata.eve.flow.bytes_toserver
suricata.eve.flow.pkts_toserver
suricata.eve.app_proto
traefik.access.user_agent.device

Relates: elastic#10535
andrewkroh added a commit that referenced this issue Jul 15, 2021
…ngs (#26627)

* Remove alias fields from Suricata/Traefik module mappings

Alias fields are displayed in Kibana whenever their target exists in a document. This yields
confusing results when, for example, you are looking at Zeek module events but see many
`suricata.eve.*` fields just because Zeek populates many ECS fields.

This is a breaking change for users that depend on the Suricata alias fields. Because these
alias cause issues for all users I think it best to remove them.

The following alias fields are removed:

suricata.eve.fileinfo.filename
suricata.eve.fileinfo.size
suricata.eve.dest_port
suricata.eve.src_port
suricata.eve.proto
suricata.eve.src_ip
suricata.eve.dest_ip
suricata.eve.http.status
suricata.eve.http.http_user_agent
suricata.eve.http.http_refer
suricata.eve.http.url
suricata.eve.http.hostname
suricata.eve.http.http_refer
suricata.eve.http.url
suricata.eve.http.hostname
suricata.eve.http.length
suricata.eve.http.http_method
suricata.eve.alert.severity
suricata.eve.alert.action
suricata.eve.flow.bytes_toclient
suricata.eve.flow.start
suricata.eve.flow.pkts_toclient
suricata.eve.flow.bytes_toserver
suricata.eve.flow.pkts_toserver
suricata.eve.app_proto
traefik.access.user_agent.device

Relates: #10535

* Fix changelog
mergify bot pushed a commit that referenced this issue Jul 15, 2021
…ngs (#26627)

* Remove alias fields from Suricata/Traefik module mappings

Alias fields are displayed in Kibana whenever their target exists in a document. This yields
confusing results when, for example, you are looking at Zeek module events but see many
`suricata.eve.*` fields just because Zeek populates many ECS fields.

This is a breaking change for users that depend on the Suricata alias fields. Because these
alias cause issues for all users I think it best to remove them.

The following alias fields are removed:

suricata.eve.fileinfo.filename
suricata.eve.fileinfo.size
suricata.eve.dest_port
suricata.eve.src_port
suricata.eve.proto
suricata.eve.src_ip
suricata.eve.dest_ip
suricata.eve.http.status
suricata.eve.http.http_user_agent
suricata.eve.http.http_refer
suricata.eve.http.url
suricata.eve.http.hostname
suricata.eve.http.http_refer
suricata.eve.http.url
suricata.eve.http.hostname
suricata.eve.http.length
suricata.eve.http.http_method
suricata.eve.alert.severity
suricata.eve.alert.action
suricata.eve.flow.bytes_toclient
suricata.eve.flow.start
suricata.eve.flow.pkts_toclient
suricata.eve.flow.bytes_toserver
suricata.eve.flow.pkts_toserver
suricata.eve.app_proto
traefik.access.user_agent.device

Relates: #10535

* Fix changelog

(cherry picked from commit 877ae2c)
andrewkroh added a commit that referenced this issue Jul 27, 2021
…ngs (#26627) (#26896)

* Remove alias fields from Suricata/Traefik module mappings

Alias fields are displayed in Kibana whenever their target exists in a document. This yields
confusing results when, for example, you are looking at Zeek module events but see many
`suricata.eve.*` fields just because Zeek populates many ECS fields.

This is a breaking change for users that depend on the Suricata alias fields. Because these
alias cause issues for all users I think it best to remove them.

The following alias fields are removed:

suricata.eve.fileinfo.filename
suricata.eve.fileinfo.size
suricata.eve.dest_port
suricata.eve.src_port
suricata.eve.proto
suricata.eve.src_ip
suricata.eve.dest_ip
suricata.eve.http.status
suricata.eve.http.http_user_agent
suricata.eve.http.http_refer
suricata.eve.http.url
suricata.eve.http.hostname
suricata.eve.http.http_refer
suricata.eve.http.url
suricata.eve.http.hostname
suricata.eve.http.length
suricata.eve.http.http_method
suricata.eve.alert.severity
suricata.eve.alert.action
suricata.eve.flow.bytes_toclient
suricata.eve.flow.start
suricata.eve.flow.pkts_toclient
suricata.eve.flow.bytes_toserver
suricata.eve.flow.pkts_toserver
suricata.eve.app_proto
traefik.access.user_agent.device

Relates: #10535

* Fix changelog

(cherry picked from commit 877ae2c)

Co-authored-by: Andrew Kroh <[email protected]>
@botelastic
Copy link

botelastic bot commented Jun 30, 2022

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Jun 30, 2022
@johanhammar
Copy link

👍

@botelastic botelastic bot removed the Stalled label Jun 30, 2022
@botelastic
Copy link

botelastic bot commented Jun 30, 2023

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Jun 30, 2023
@willemdh
Copy link

willemdh commented Jul 1, 2023

🦖

@botelastic botelastic bot removed the Stalled label Jul 1, 2023
@J7mbo
Copy link

J7mbo commented Aug 1, 2023

👍

@devamanv
Copy link
Contributor

devamanv commented Nov 10, 2023

@andrewkroh We have seen an issue wherein a user reported seeing these suricate.eve.* fields in the events. They are using Filebeat v7.17.10. I see that a PR was raised to fix it as seen in your comment. I see that we have a label of backport-7.15.0, assuming it was only backported to Filebeat v7.15. Can you please help me understand or clarify if this issue could be seen in 7.17.x. Could really help us with our next steps.

@andrewkroh
Copy link
Member Author

The commit from the backport PR appears in releases >= v7.15.0 so the suricata aliases should not be present in index templates from those builds.

$ git tag --contains 16108a
v7.15.0
v7.15.1
v7.15.2
v7.16.0
v7.16.1
v7.16.2
v7.16.3
v7.17.0
v7.17.1
v7.17.10
v7.17.11
v7.17.12
v7.17.13
v7.17.14
v7.17.2
v7.17.3
v7.17.4
v7.17.5
v7.17.6
v7.17.7
v7.17.8
v7.17.9

You can see what aliases are present in the index template by exporting it:

./filebeat export template | gron | grep '"alias"'

I checked 7.17 and there are no suricata alias fields.

@narph narph added Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution and removed Team:SIEM labels Feb 13, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Filebeat Filebeat Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution
Projects
None yet
Development

Successfully merging a pull request may close this issue.