cvandeplas / elk-forensics Goto Github PK

Dear Guy,
Your project is really cool and awesome,I'm very interested in it.Many thanks your great contribution.I follow your command to import data, but below error happened, please help on it.

root@debian:~/ELK-forensics# cat computername.mactime | nc -vv -n 127.0.0.1 18001
cat: computername.mactime: No such file or directory
(UNKNOWN) [127.0.0.1] 18001 (?) : Connection refused
sent 0, rcvd 0

root@debian:~/ELK-forensics# cat SG100-* | nc -vv -n 127.0.0.1 18002
cat: SG100-*: No such file or directory
(UNKNOWN) [127.0.0.1] 18002 (?) : Connection refused
sent 0, rcvd 0

Hi,

I tried to import the bluecoat.json into the current Kibana 7.2. (via Management - Saved Objects). This doesn't work. Can you provide us a new json/ndjson file which is working? Would be really great, thanks.

Hello,

I am having some trouble loading Plaso CSV data into ELK using the plaso.l2tcsv.conf. The issue is that the @timestamp field is being populated with the CSV load time and not the time created by the mutate statements in the conf file that concatenates the date, time, and timezone.

I am using the unmodified plaso.l2tcsv.conf file from this GitHub page.

LogStash version: 5.6.1
Elasticsearch version: 5.6.0
Kibana Version: 5.6.0
OS: Ubuntu 16.04

I have included the Logstash log file and a screenshot of the loaded data in Kibana.

Thoughts on what might be causing the issue?

Thanks

-Mark

[email protected]
Skype: mhallman

logstash-plain.log

That's a very interesting project Christophe!
Could somebody import those json templates to Kibana 4 too? If yes, could you possibly explain how and update the readme file?

I use IIS log for ELK and modify some config of logstash and kibana template.

• w3c-extended-iis.json
  -> just modified "index" name same as "index" name of logstash config file
• w3c-extended-iis.conf
  -> at filter, csv columns field modified to my iis log
  -> at output, "index" name is modified
  • original : index => "logstash-%{[type]}-%{+YYYY.MM.dd}"
  • modified : index => "iis_log_merge"

I configure all log is indexed one indice.

Result is good, but some panel data is broken like below.

I use filed name like below

REQUEST URI : cs_uri_stem
URI QUERY : cs_uri_query
USER-AGENT : cs_user_agent
COUNTRY : geoip.country_name

Default template use field name like cs_uri_stem.raw but when i use default template, result is always "Missing field".
So, I modified field name like above.

Please advice to me.

Regards