Issues with Filebeat

I’m running OpenSearch 1.1.0 + OpenDashboard 1.1.0 + logstash OSS 7-12-0 + filebeat 7-10-2
and I’m having issues taking the filebeat input from surricata module file in /etc/filebeat/modules.d/suricata.yml
When I enable the suricata.yml filebeat doesn’t start anymore. See below. When I disable the suricata module and have it fetch from filebeat.inputs path: /var/log/suricata/eve.json
I see on Kibana/Dashbord I get _jsonparsefailure with garbage logs.

Filebeat service not starting when suricata modeule enabled:
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2021-10-16 16:02:54 EDT; 9min ago
Docs: Filebeat: Lightweight Log Analysis & Elasticsearch | Elastic
Process: 22426 ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS (code=exited, status=1/FAILUR
Main PID: 22426 (code=exited, status=1/FAILURE)

Garbage logs received when asking filebeat to fetch directly from the var/log/suricata/eve/json file.
Oct 16 16:02:54 nuc_linux systemd[1]: filebeat.service: Service hold-off time over, scheduling restart.
Oct 16 16:02:54 nuc_linux systemd[1]: filebeat.service: Scheduled restart job, restart counter is at 5.
Oct 16 16:02:54 nuc_linux systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch…
Oct 16 16:02:54 nuc_linux systemd[1]: filebeat.service: Start request repeated too quickly.
Oct 16 16:02:54 nuc_linux systemd[1]: filebeat.service: Failed with result ‘exit-code’.
Oct 16 16:02:54 nuc_linux systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch…
sharp@nuc_linux:/etc/filebeat/modules.d$

Garbage logs in Kibana
message
\xCD-\xC4t[\xB5+ʈ\u0017V\u0013a\e\x86bL \xF2\\\xFE\xB0\xFF\xFA\xC7^\xF1\xFAqv\xF8\xFAt\\D\xBEWz\xAFO\x8E\x89\xF2l\x9AA\f\xA6\xD5\u0004\r \r\u0003\xD8\u0000\xD6\xFAl\u0000\vV\x86E΄:P\u0006\xD6d\u0003\xB0\xB2S6\x80\x8D.s&\xB4\e\x82\x86\u000E\xAC\xE9\xCDPF\xBC\xAA\xEBd\u0003\u0018p\ xB9:\x94\u0011\xBB\xA0䡌$\u000Fe$y(#\xC9C\u0019I\u001E\xCAH\xF2PF\x92\x872\x92<\x94\x91䡌$\u000Fe$y(#\xC9C\u0019\xAD\u001E\xCAHrAC\xC9\u0005\r%\u00174\x94\ \\xD0PrAC\xC9\u0005\r\xE7\v\u001A\xAA\xAE\x92\\xD0p#\x82\x86\u001C>x\xC3-\xC3\a\xF3q\x81Y#\xAF\x85,\eo\xCE\xC8k\f\x91\xA6 M\xD5\ru\xDDx\xF5

Boy, that looks like garbage input. How does the /var/log/suricata/eve.json look when you tail it manually?

Hey Kyle. I was actually able to fix the issue by having logstash directly fetch the eve.json file. Things started working after that. See below my losgstash configs. Is there a compatibility issue with the suricata filebeat module and logstash? When I installed filebeat oss I didnt see it there by default so I’m suspecting that may have been the issue.

./etc/logstash/conf.d/logstash.conf

input {
file {
path => [“/var/log/suricata/eve.json”]
#sincedb_path => [“/var/lib/logstash/”]
codec => “json”
type => “SuricataIDPS”
start_position => “beginning”
}

}

I’m not aware of any incompatibility between the suricata filebeat module and logstash. Glancing at the configs for Suricata it looks fairly straight forward. Perhaps fluentbit if you don’t want to use logstash directly?