Suricata eve.json input file

Grafana
1

Hello,

I’m trying to get the json from suricata eve.json file into influxdb.
I can’t found how to make it work.

I’m using : JSON input data format | Telegraf 1.15 Documentation
######This is my error :
telegraf[25743]: 2020-10-13T10:49:01Z E! [inputs.file] Error in plugin: invalid character ‘{’ after top-level value

#####My configuration
[[inputs.file]]
files = [“/var/log/suricata/eve.json”]
data_format = “json”
json_query = “”
tag_keys = [
“ids”
]
json_string_fields =
json_name_key = “”
json_time_key = “”
json_time_format = “2006-01-02T15:04:05Z07:00”

And this is some exemple of the logs

{“timestamp”:“2020-10-13T12:58:24.147503+0200”,“flow_id”:1725062989050064,“in_iface”:“ens256”,“event_type”:“flow”,“vlan”:[123],“src_ip”:“1.1.1.1”,“src_port”:33031,“dest_ip”:“2.2.2.2”,“dest_port”:53,“proto”:“UDP”,“app_proto”:“dns”,“flow”:{“pkts_toserver”:1,“pkts_toclient”:1,“bytes_toserver”:88,“bytes_toclient”:905,“start”:“2020-10-13T12:51:25.815312+0200”,“end”:“2020-10-13T12:51:25.974559+0200”,“age”:0,“state”:“established”,“reason”:“unknown”,“alerted”:false},“community_id”:“1:q2HBJLLLZs/6KeeWi0JoV/xFdBo=”}

Another :

{“timestamp”:“2020-10-13T12:52:29.524846+0200”,“flow_id”:886715040085354,“in_iface”:“ens256”,“event_type”:“smb”,“vlan”:[123],“src_ip”:“1.1.1.1”,“src_port”:55941,“dest_ip”:“2.2.2.2”,“dest_port”:445,“proto”:“TCP”,“smb”:{“id”:88,“dialect”:“2.02”,“command”:“SMB2_COMMAND_TREE_DISCONNECT”,“status”:“STATUS_SUCCESS”,“status_code”:“0x0”,“session_id”:1921664783,“tree_id”:1025540562},“community_id”:“1:uFcPUO+KTRhUEH68URd54jNQmv4=”}
{“timestamp”:“2020-10-13T12:52:34.852475+0200”,“flow_id”:886715040085354,“in_iface”:“ens256”,“event_type”:“smb”,“vlan”:[123],“src_ip”:“1.1.1.1”,“src_port”:55941,“dest_ip”:“2.2.2.2”,“dest_port”:445,“proto”:“TCP”,“smb”:{“id”:87,“dialect”:“2.02”,“command”:“SMB2_COMMAND_READ”,“status”:“STATUS_SUCCESS”,“status_code”:“0x0”,“session_id”:1921664783,“tree_id”:1516891187,“filename”:“GoogleDriveblabla.txt”,“share”:“\2.2.2.2\Data”,“fuid”:“08348f96-0000-0000-a3c6-f0f000000000”},“community_id”:“1:uFcPUO+KTRhUEH68URd54jNQmv4=”}

This is some exemple

suricata1
suricata1108×604 11.9 KB

suricata3
suricata3148×847 24.5 KB

I’m trying with telegraf to influxdb but maybe you have another solution? :slight_smile:

Thank you for your help!