Can't Import the Content Pack

[JSylvia007]

Howdy! So after the success if the pfSense dashboard that you provided, I figured I would try the Suricata one, especially after what I learned from the pfSense one.

The issue is, I can't get past the content pack piece... I am able to upload it, but I can't apply it. When I try to apply it, I get an error telling me to check the logs. This is an export of the log:

2018-09-27T23:32:09.037-04:00 INFO  [InputStateListener] Input [Beats/5a9b0dd0687cf800d1ef207c] is now STARTING
2018-09-27T23:32:09.040-04:00 ERROR [BundleImporter] Error while creating entities in content pack. Starting rollback.
com.mongodb.DuplicateKeyException: Write failed with error code 11000 and error message 'E11000 duplicate key error collection: graylog.lut_caches index: name_1 dup key: { : "cache-service-port" }'

[JSylvia007]

Any movement on this? Its still not working for me.

[JSylvia007]

Bump?? Anybody home?

[ghost]

You still stuck on this @JSylvia007?

I found a work around for it all. I Never got his package to work but I did manage to do it manually.

[JSylvia007]

Hey @pipetennathan... I did get it sorted out the same way. It was a bit of a pain but looking through all the logs helped me to figure it out.

[ghost]

Hey @PipeTenNathan... I did get it sorted out the same way. It was a bit of a pain but looking through all the logs helped me to figure it out.

Did you get beats working over TLS? I did. Posted the method here. https://forum.netgate.com/topic/136998/how-to-send-snort-alert-logs-to-graylog-without-barnyard2/11

[jimbrzk]

Hi,

i meanage to make working content pack for Graylog 3 if some one is still intrasted in it.

content-pack-dd56a523-b5e7-402d-a648-f96d771372cd-1.json.txt

I can't make Grafana to make some charts, can somebody help me with it?

[robben-ar]

How would it be manually? Could you share that solution? We would be very grateful.
I have working with ELK but I can't find the Graylog.

[ghost]

Hi,

i meanage to make working content pack for Graylog 3 if some one is still intrasted in it.

content-pack-dd56a523-b5e7-402d-a648-f96d771372cd-1.json.txt

I can't make Grafana to make some charts, can somebody help me with it?

So for Grafana youll need to use their elastic search input and ensure all inputs to it are JSON (which is done with a tickbox in suracata settings in EVE output settings)

On the Graylog server you'll need to;

curl 'localhost:9200/_cat/indices?v' < --- this will work
curl '$domainname:9200/_cat/indices?v' < --- this will fail
----
echo 'network.host: 0.0.0.0' >> /etc/elasticsearch/elasticsearch.yml
systemctl restart elasticsearch.service
WAIT LIKE 60 Seconds.

curl '$domainname:9200/_cat/indices?v' < --- this NOW will work

curl '192.168.xx.xx:9200/_cat/indices?v'< --- this NOW will work

if you have a FW you will have to add the IP and port to a FW rule 

firewall-cmd --permanent --add-port=9200/tcp --zone=permitted
firewall-cmd --permanent --add-source=xxx.xxx.xxx.xxx/32 --zone=permitted
firewall-cmd --reload

Grafana elastic only cares about JSON. it ignores everything else.

Hope this helps.

[TDJ211]

Thanks kubala156, I was able to import your revised content pack.

But now im stuck on adding the custom Suricata-elastic-template in elasticsearch Brain. In the instructions, it appears he accesses the Elasticsearch GUI. How do I access that? Is it same IP and different port number? Or is it something that is done from the CLI?

[robben-ar]

Thanks kubala156, I was able to import your revised content pack.

But now im stuck on adding the custom Suricata-elastic-template in elasticsearch Brain. In the instructions, it appears he accesses the Elasticsearch GUI. How do I access that? Is it same IP and different port number? Or is it something that is done from the CLI?

You can do that with Cerebro: https://github.com/lmenezes/cerebro

I could import the Content Pack and import the template but I still cannot copy the geo_point fields.
So grafana is not able to graph the points on the map :(

Could someone import the templates well?
I am using Elasticsearch 5.6
I hope we can make good huntings.-

[TDJ211]

Thanks kubala156, I was able to import your revised content pack.
But now im stuck on adding the custom Suricata-elastic-template in elasticsearch Brain. In the instructions, it appears he accesses the Elasticsearch GUI. How do I access that? Is it same IP and different port number? Or is it something that is done from the CLI?

You can do that with Cerebro: https://github.com/lmenezes/cerebro

I could import the Content Pack and import the template but I still cannot copy the geo_point fields.
So grafana is not able to graph the points on the map :(

Could someone import the templates well?
I am using Elasticsearch 5.6
I hope we can make good huntings.-

Thanks for the assist. I eventually got Cerebro up, but now its giving me an error when trying to import the new template. I just copy and pasted and its giving me an error.

[robben-ar]

Thanks kubala156, I was able to import your revised content pack.
But now im stuck on adding the custom Suricata-elastic-template in elasticsearch Brain. In the instructions, it appears he accesses the Elasticsearch GUI. How do I access that? Is it same IP and different port number? Or is it something that is done from the CLI?

You can do that with Cerebro: https://github.com/lmenezes/cerebro
I could import the Content Pack and import the template but I still cannot copy the geo_point fields.
So grafana is not able to graph the points on the map :(
Could someone import the templates well?
I am using Elasticsearch 5.6
I hope we can make good huntings.-

Thanks for the assist. I eventually got Cerebro up, but now its giving me an error when trying to import the new template. I just copy and pasted and its giving me an error.

In this Youtube channel, it explains in a very simple way the installation and configuration of Graylog and Grafana: https://www.youtube.com/channel/UCXPdZsu8g1nKerd-o5A75vA

If someone could solve the geo_point issue please let us know.

Regards.-

[flotpg]

I also can't import the template: " Error creating template"

elasticsearch: 7.10.2