-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error with Painless scripted field 'doc['flow_id'].value'. #1
Comments
How do you import the dashboards exactly ? |
I'm receiving the same script exception. Dashboards, etc. are imported via the curl commands provided on the README page. The issue is preventing events in the EventsList from being displayed. I'm using the logstash filter that is linked to off the README page. The following is further information from the SN-ALL dashboard. Please advise. script_exception at shard 0index logstash-flow-2020.11.22node VURsDiwmTnyNCTmjTmpqmQ Script Lang |
Was able to reproduce. Will try to cook a patch today. I think it is related to a possible fix here- StamusNetworks/SELKS#255 (comment) I would like to confirm - on which dahsboars/vizs does this appear ? |
I only have Elasticsearch indexes for: alert, fileinfo, flow, http, tls. The issue is only appearing on SN-ALERTS from the data I have. As a note, I attempted to use Filebeat to send Suricata logs directly to Elasticsearch using the elasticsearch7-template.json provided template. I verified the template was loaded in Elasticsearch. However, I believe my filebeat.yml file was incorrectly configured because I was only able to get a logstash- index, by modifying 'output.elasticsearch.index' and nothing was displayed in the dashboards. I'm not a Filebeat expert. If you have a filebeat.yml that works with the the template, it will eliminate the logstash service from the solution. |
Were the indexes created/existed in Kibana/Management ? |
The indexes were created through the logstash template provided off the README page. It is a slight modification given that 'type' doesn't exist in 7.x. The indexes did not exist prior to instantiating the stack. |
Ok - just to confirm , the issue appears only on SN-ALL or on SN-ALERTS, from the error it comes in from the |
I made a mistake in my last comment. It is only appearing on SN-ALL. I do not have any data in SN-ALERTS so I'm not able to confirm whether it occurs in SN-ALERTS. |
Any update on the above? |
This patch fixes the issue as mentioned here - #1 (comment) |
No worries. Thank you for fixing. Fantastic work on these dashboards, btw! |
*Running SELKS 6 + ELK 7.10.0 + X-Pack enabled, so all communications are via https I am having the same issue. So, the solution is just to enable the "community_id" in Suricata config and restart Suricata, or do I need to perform more steps? Should I use Thank you |
It does not seem the issue is related? |
Hi @pevma, Like I said, I am experiencing the same issue. When I open Discover in Kibana, there's always a pop-up warning stating there is an issue with 2/15 shards. Please see the screenshots below: This issue starts as soon I enable X-Pack and all the communications turned over https protocol. We have talked about this matter and some side effects this brings to SELKS suite in other posts. I was hopping that a new SELKS release or patch would fix this and other issues, that just appears if the user enables X-Pack with basic security features in ELK. Then I saw this post and I thought that maybe there is an easy way to address this issue, since other users have seen the same error. I tried enabling the community_id in Suricata config, then restarted Suricata and Evebox. The issue do not disappear, just mutate into a different error, as you can see here: It does not make any difference if I add or leave the Thank you |
Any advise? |
Think you should use it without the |
Hi, I only tried the Checking the
The above logs are from a fresh SELKS 6 install and up to date, including ELK 7.10.0. I have not enabled the What would you recommend me to check/try next? Thank you |
Where exactly are you making the change/addition in the scripted fields - is it in |
Hi, Error appears when I check app Discover/ |
Ok - so you mean if you do |
Verified one by one all logs in Discover/ |
Any thoughts? |
What do you use the index logstash-service-* for ? Out of curiosity if ok to ask
Apart from that I think it is a complain message - do the logs show up or not ?
… --
Regards,
Peter Manev
On 9 Dec 2020, at 15:16, ManuelFFF ***@***.***> wrote:
Any thoughts?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Hi, I am sorry if I wasn't clear enough on my previous message, so you could be able to help me. Index
Perhaps I should have used logstash-[event_type]-* instead or just use the exact index name like this time. What I wanted to say is that I checked all the previous indexes, one by one, and the error comes only when I check |
I think using |
You should be able to import the raw API exports from here - |
Was this issue resolved in the master branch? I just pulled and I'm receiving the following: script_exception at shard 0index logstash-flow-2020.12.23node n6KVwvteRyaKlBCWbQPACwTypescript_exceptionReasonruntime errorScript stackorg.elasticsearch.index.fielddata.ScriptDocValues$Longs.get(ScriptDocValues.java:121) org.elasticsearch.index.fielddata.ScriptDocValues$Longs.getValue(ScriptDocValues.java:115) 'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase() ^---- HEREScript'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase()LangpainlessPosition offset73Position start0Position end232Caused by typeillegal_state_exceptionCaused by reasonA document doesn't have a value for a field! Use doc[].size()==0 to check if a document is missing a field! |
Yes it is.
Besides pulling the master branch you need to reload the dashboards
The other alternative is simply to use the selks-upgrade_stamus routine - that will auto update the dashboards pkg.after which you can reset/reload it from the gui.
https://github.com/StamusNetworks/SELKS/wiki/How-to-load-or-update-dashboards#from-scirius
… --
Regards,
Peter Manev
On 23 Dec 2020, at 07:28, alphaDev23 ***@***.***> wrote:
Was this issue resolved in the master branch? I just pulled and I'm receiving the following:
script_exception at shard 0index logstash-flow-2020.12.23node n6KVwvteRyaKlBCWbQPACwTypescript_exceptionReasonruntime errorScript stackorg.elasticsearch.index.fielddata.ScriptDocValues$Longs.get(ScriptDocValues.java:121) org.elasticsearch.index.fielddata.ScriptDocValues$Longs.getValue(ScriptDocValues.java:115) 'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase() ^---- HEREScript'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase()LangpainlessPosition offset73Position start0Position end232Caused by typeillegal_state_exceptionCaused by reasonA document doesn't have a value for a field! Use doc[].size()==0 to check if a document is missing a field!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
I've recreated the entire ELK stack. Same issue. Please advise. |
I think you cantry to load all the ndjson from the Kibana management web GUI- Saved objects - (with an option to overwrite conflicts)
I think this is what could be causing some vizs not to be updated.
… --
Regards,
Peter Manev
On 25 Dec 2020, at 23:09, alphaDev23 ***@***.***> wrote:
I upgraded to a 7.10.1 stack. Indexes (22) and queries (4) load. Others do not. After executing the following, there are no visualizations in Kibana's saved objects.
bash-4.2$ curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form ***@***.***
{"successCount":390,"success":false,"successResults":[{"type":"visualization","id":"00c602c0-74de-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"00dbb830-74df-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipVersion","icon":"visualizeApp"}},{"type":"visualization","id":"01acef80-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-KerberosSnames","icon":"visualizeApp"}},{"type":"visualization","id":"02363350-c2f6-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-TFTP-Total","icon":"visualizeApp"}},{"type":"visualization","id":"03ba7ce0-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-ByVlan","icon":"visualizeApp"}},{"type":"visualization","id":"04e045d0-73f5-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Pdu","icon":"visualizeApp"}},{"type":"visualization","id":"04e4ecd0-cb3f-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-BySrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"0a54ea10-cb41-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByProcedure","icon":"visualizeApp"}},{"type":"visualization","id":"0c6f2dd0-c199-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Detailed-Type","icon":"visualizeApp"}},{"type":"visualization","id":"0de33020-74ef-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientVersion","icon":"visualizeApp"}},{"type":"visualization","id":"0e792240-c1d3-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"111b9450-c198-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"1317e9e0-caf6-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-BySname","icon":"visualizeApp"}},{"type":"visualization","id":"13b4a300-c1ca-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"13c631e0-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-ConnProtoVersion","icon":"visualizeApp"}},{"type":"visualization","id":"15d06790-74df-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipMethod","icon":"visualizeApp"}},{"type":"visualization","id":"15f78410-731d-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Layer","icon":"visualizeApp"}},{"type":"visualization","id":"18409990-73f5-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Version","icon":"visualizeApp"}},{"type":"visualization","id":"19f31700-c1d0-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"1af05bf0-cc06-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficIdOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"1dcb8bf0-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-BySrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"1e74daa0-c2f9-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-FILE-Total","icon":"visualizeApp"}},{"type":"visualization","id":"2013c6a0-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"21b892d0-d332-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByType","icon":"visualizeApp"}},{"type":"visualization","id":"27e8ded0-c199-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-SubnetMasks-Served","icon":"visualizeApp"}},{"type":"visualization","id":"2a0d0b20-0817-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Total","icon":"visualizeApp"}},{"type":"visualization","id":"2b23dd60-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-NtlmsspDomain","icon":"visualizeApp"}},{"type":"visualization","id":"2c7909a0-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"2cf8aef0-cb44-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-TLS-ByJa3Hash","icon":"visualizeApp"}},{"type":"visualization","id":"2e044410-3dc3-11ea-9663-b39dc1f7db8b","meta":{"title":"SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnSrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"2f7d1860-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"2f7fcdd0-707c-11e7-9d3e-29d8a1ffc52b","meta":{"title":"SN-FILE-GeoIPPDFAndExecutables","icon":"visualizeApp"}},{"type":"visualization","id":"305b0610-cb3f-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByDestPort","icon":"visualizeApp"}},{"type":"visualization","id":"30674f90-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"32b68a80-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-FILE-Count","icon":"visualizeApp"}},{"type":"visualization","id":"3339b490-cc06-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficLabelOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"33e3d3c0-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByDestIP","icon":"visualizeApp"}},{"type":"visualization","id":"34a287d0-74de-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"35c3bd80-0621-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-SSH-ByServerHashByServerIPByPort","icon":"visualizeApp"}},{"type":"visualization","id":"35fe0970-76a2-11e7-8761-edc8301be2be","meta":{"title":"SN-FILE-GeoIPPDFAndExecutables","icon":"visualizeApp"}},{"type":"visualization","id":"3cc02790-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-ConnProtoString","icon":"visualizeApp"}},{"type":"visualization","id":"3ee767e0-74ef-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientCookie","icon":"visualizeApp"}},{"type":"visualization","id":"3f2fc250-06f9-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-HTTP2-RequestSettings","icon":"visualizeApp"}},{"type":"visualization","id":"3f6bdc20-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-TotalEvents","icon":"visualizeApp"}},{"type":"visualization","id":"40935fa0-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Channels","icon":"visualizeApp"}},{"type":"visualization","id":"40d1f1b0-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-NtlmsspUser","icon":"visualizeApp"}},{"type":"visualization","id":"428c5020-38fb-11ea-9ee1-11f0d2cd99c4","meta":{"title":"SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnDestIP","icon":"visualizeApp"}},{"type":"visualization","id":"4562de80-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"467c7160-74d8-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"48baf4f0-cb34-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"49460e90-c1cb-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Dialect","icon":"visualizeApp"}},{"type":"visualization","id":"4a915930-74df-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipUri","icon":"visualizeApp"}},{"type":"visualization","id":"4eb365b0-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"50cfd230-d333-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByDestIP","icon":"visualizeApp"}},{"type":"visualization","id":"54cb1bf0-cb41-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByVersion","icon":"visualizeApp"}},{"type":"visualization","id":"54da3520-c193-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Role","icon":"visualizeApp"}},{"type":"visualization","id":"561165b0-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-NtlmsspHost","icon":"visualizeApp"}},{"type":"visualization","id":"56f846b0-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByCname","icon":"visualizeApp"}},{"type":"visualization","id":"574dce20-74de-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-TotalEvents","icon":"visualizeApp"}},{"type":"visualization","id":"58f30160-74d8-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"5ce42c30-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"5ec287c0-d333-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-BySrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"5f1a83f0-7d8f-11ea-af8c-954c77eacc8f","meta":{"title":"SN-ANOMALY-EventType","icon":"visualizeApp"}},{"type":"visualization","id":"5f62a330-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"6195c7f0-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"640f7da0-73f5-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Community","icon":"visualizeApp"}},{"type":"visualization","id":"64d48d40-73f3-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-TotalCount","icon":"visualizeApp"}},{"type":"visualization","id":"65d35270-c1cb-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-ClientDialect","icon":"visualizeApp"}},{"type":"visualization","id":"66130c70-cb40-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByFileTx","icon":"visualizeApp"}},{"type":"visualization","id":"669c73d0-c194-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"6c617f40-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-BySrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"6c626e50-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Event_Type","icon":"visualizeApp"}},{"type":"visualization","id":"6dd9b190-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-ScreenShared","icon":"visualizeApp"}},{"type":"visualization","id":"7012e330-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"70e3bf80-c192-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"7186a510-c228-11e8-9c42-9d2ae2bde3ab","meta":{"title":"SN-Timelion-Protocols","icon":"visualizeApp"}},{"type":"visualization","id":"7248b300-d333-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByDestPort","icon":"visualizeApp"}},{"type":"visualization","id":"79bdb5e0-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"7b3bb500-7d8e-11ea-af8c-954c77eacc8f","meta":{"title":"SN-TLS-ByVersion","icon":"visualizeApp"}},{"type":"visualization","id":"7b549170-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"7c50dd40-caf6-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByWeakEncryption","icon":"visualizeApp"}},{"type":"visualization","id":"7dbcee70-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-SMB-Total","icon":"visualizeApp"}},{"type":"visualization","id":"7f717a40-0819-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"80f4d150-c1cb-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Status","icon":"visualizeApp"}},{"type":"visualization","id":"812142a0-74d8-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"818e1210-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByEncryption","icon":"visualizeApp"}},{"type":"visualization","id":"836ad6e0-734b-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Type","icon":"visualizeApp"}},{"type":"visualization","id":"837522f0-cb34-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-TotalCount","icon":"visualizeApp"}},{"type":"visualization","id":"8451e8a0-0621-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-SSH-ByClientHashByClientIPByPort","icon":"visualizeApp"}},{"type":"visualization","id":"85eddf30-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByDestPort","icon":"visualizeApp"}},{"type":"visualization","id":"89bd2f10-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"8c64b280-74df-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipReason","icon":"visualizeApp"}},{"type":"visualization","id":"8e02e410-74dd-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"8e299c30-d331-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByDst","icon":"visualizeApp"}},{"type":"visualization","id":"8efad7b0-c192-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"8f89a9e0-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-SMTP-Total","icon":"visualizeApp"}},{"type":"visualization","id":"8fc3c0a0-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Share","icon":"visualizeApp"}},{"type":"visualization","id":"91b6dba0-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientKeyboardType","icon":"visualizeApp"}},{"type":"visualization","id":"97436e00-73f2-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"97b1cb90-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByErrCode","icon":"visualizeApp"}},{"type":"visualization","id":"9934b1a0-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"995b2750-0817-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-MqttOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"995f5e40-73f4-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Vars","icon":"visualizeApp"}},{"type":"visualization","id":"9a91f300-caf3-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-TotalCount","icon":"visualizeApp"}},{"type":"visualization","id":"9ec0d330-cb41-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByFileName","icon":"visualizeApp"}},{"type":"visualization","id":"9ff304c0-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-TLS-Total","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Bottom20Signatures","meta":{"title":"SN-Alert-Bottom20Signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByExtraInfoType","meta":{"title":"SN-Alert-ByExtraInfoType","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByHttpContentType","meta":{"title":"SN-Alert-ByHttpContentType","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByHttpMethod","meta":{"title":"SN-Alert-ByHttpMethod","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByHttpProtocolByUserAgentByOS","meta":{"title":"SN-Alert-ByHttpProtocolByUserAgentByOS","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-BySmtpHello","meta":{"title":"SN-Alert-BySmtpHello","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-BySshClientProtoBySshClientSoftwareVer","meta":{"title":"SN-Alert-BySshClientProtoBySshClientSoftwareVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-BySshServerProtoBySshSoftwareVer","meta":{"title":"SN-Alert-BySshServerProtoBySshSoftwareVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByTlsIssuerByTlsSniByTlsVersionNotGoogleYahooTwiter","meta":{"title":"SN-Alert-ByTlsIssuerByTlsSniByTlsVersionNotGoogleYahooTwiter","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByTlsIssuerByTlsSniNotGoogleYahooTwiter","meta":{"title":"SN-Alert-ByTlsIssuerByTlsSniNotGoogleYahooTwiter","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByTlsIssuerdn","meta":{"title":"SN-Alert-ByTlsIssuerdn","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByTlsSni","meta":{"title":"SN-Alert-ByTlsSni","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByVLANID","meta":{"title":"SN-Alert-ByVLANID","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByVLANIDTop20","meta":{"title":"SN-Alert-ByVLANIDTop20","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Count","meta":{"title":"SN-Alert-Count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-GeoMap","meta":{"title":"SN-Alert-GeoMap","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Proto","meta":{"title":"SN-Alert-Proto","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Timeline","meta":{"title":"SN-Alert-Timeline","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top10Signatures","meta":{"title":"SN-Alert-Top10Signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20DstIP","meta":{"title":"SN-Alert-Top20DstIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20DstPorts","meta":{"title":"SN-Alert-Top20DstPorts","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20Signatures","meta":{"title":"SN-ThreatHunt-ALERTS-Top100Signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20SrcIP","meta":{"title":"SN-Alert-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20SrcPorts","meta":{"title":"SN-Alert-Top20SrcPorts","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-categories","meta":{"title":"SN-Alerts categories","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-count","meta":{"title":"SN-Alerts count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-details","meta":{"title":"SN-Alerts details","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-locations","meta":{"title":"SN-Alerts locations","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-over-time","meta":{"title":"SN-Alerts over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-per-probes","meta":{"title":"SN-Alerts per probes","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-severity","meta":{"title":"SN-Alerts severity","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-signatures","meta":{"title":"SN-Alerts signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-ApplayerProtoDestIPDestPort","meta":{"title":"SN-ApplayerProtoDestIPDestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-ApplayerProtoSrcIPSrcPort","meta":{"title":"SN-ApplayerProtoSrcIPSrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Application-protocol","meta":{"title":"SN-Application protocol","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Average-packet-size","meta":{"title":"SN-Average packet size","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Browsers","meta":{"title":"SN-Browsers","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Count","meta":{"title":"SN-Count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-ByProto","meta":{"title":"SN-DNS-ByProto","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-ByTtl","meta":{"title":"SN-DNS-ByTtl","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-DnsEventsOverTime","meta":{"title":"SN-DNS-DnsEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-DnsOverTime","meta":{"title":"SN-DNS-DnsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-GeoIP","meta":{"title":"SN-DNS-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-NXDOMAINGeoIP","meta":{"title":"SN-DNS-NXDOMAINGeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Rcode","meta":{"title":"SN-DNS-Rcode","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Rdata","meta":{"title":"SN-DNS-Rdata","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Rrname","meta":{"title":"SN-DNS-Rrname","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Rrtype","meta":{"title":"SN-DNS-Rrtype","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-SshOverTime","meta":{"title":"SN-DNS-SshOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Top20DestIP","meta":{"title":"SN-DNS-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Top20DestPort","meta":{"title":"SN-DNS-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Top20SrcIP","meta":{"title":"SN-DNS-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Top20SrcPort","meta":{"title":"SN-DNS-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Type","meta":{"title":"SN-DNS-Type","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Dest_ports","meta":{"title":"SN-Dest_ports","icon":"visualizeApp"}},{"type":"visualization","id":"SN-EventTypeOverTimeAll","meta":{"title":"SN-EventTypeOverTimeAll","icon":"visualizeApp"}},{"type":"visualization","id":"SN-EventTypeOverTimeExcept-StatsAndFlow","meta":{"title":"SN-EventTypeOverTimeExcept-StatsAndFlow","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-ByGeoCityByType","meta":{"title":"SN-FILE-ByGeoCityByType","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-ByProtoByHostnameServed","meta":{"title":"SN-FILE-ByProtoByHostnameServed","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-ByTypeOverTime","meta":{"title":"SN-FILE-ByTypeOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-EventsOverTime","meta":{"title":"SN-FILE-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-FileSizeByExtention","meta":{"title":"SN-FILE-FileSizeByExtention","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-GeoIP","meta":{"title":"SN-FILE-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-GeoIPPDFAndExecutables","meta":{"title":"SN-FILE-GeoIPPDFAndExecutables","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-Top20DestIP","meta":{"title":"SN-FILE-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-Top20DestPort","meta":{"title":"SN-FILE-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-Top20SrcIP","meta":{"title":"SN-FILE-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-Top20SrcPort","meta":{"title":"SN-FILE-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Files-count","meta":{"title":"SN-Files count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Files-informations-details","meta":{"title":"SN-Files informations details","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Files-informations-over-time","meta":{"title":"SN-Files informations over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Files-protocols","meta":{"title":"SN-Files protocols","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Flow-unique-count-of-src-and-dst-IP","meta":{"title":"SN-Flow unique count of src and dst IP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-AcceptEncoding","meta":{"title":"SN-HTTP-AcceptEncoding","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-AcceptEncodingByConnection","meta":{"title":"SN-HTTP-AcceptEncodingByConnection","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-AcceptEncodingByHost","meta":{"title":"SN-HTTP-AcceptEncodingByHost","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-CacheControl","meta":{"title":"SN-HTTP-CacheControl","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-ContentTypeByAplication","meta":{"title":"SN-HTTP-ContentTypeByAplication","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-EventsOverTime","meta":{"title":"SN-HTTP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-GeoIP","meta":{"title":"SN-HTTP-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-Servers","meta":{"title":"SN-HTTP-Servers","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-StatusCode","meta":{"title":"SN-HTTP-StatusCode","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-Top-hostnames","meta":{"title":"SN-HTTP Top hostnames","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-Top-user-agents","meta":{"title":"SN-HTTP Top user agents","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgenOSMethodContent","meta":{"title":"SN-HTTP-UserAgenOSMethodContent","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentDevices","meta":{"title":"SN-HTTP-UserAgentDevices","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentMajor","meta":{"title":"SN-HTTP-UserAgentMajor","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentMinor","meta":{"title":"SN-HTTP-UserAgentMinor","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentName","meta":{"title":"SN-HTTP-UserAgentName","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentOS","meta":{"title":"SN-HTTP-UserAgentOS","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentOSName","meta":{"title":"SN-HTTP-UserAgentOSName","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentPatch","meta":{"title":"SN-HTTP-UserAgentPatch","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-Vary","meta":{"title":"SN-HTTP-Vary","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-bandwidth","meta":{"title":"SN-HTTP bandwidth","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-events-over-time","meta":{"title":"SN-HTTP events over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-lengths","meta":{"title":"SN-HTTP lengths","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-methods","meta":{"title":"SN-HTTP methods","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-protocols","meta":{"title":"SN-HTTP protocols","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-referrals","meta":{"title":"SN-HTTP referrals","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-response-by-hostname","meta":{"title":"SN-HTTP response by hostname","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-size","meta":{"title":"SN-HTTP size","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-status","meta":{"title":"SN-HTTP status","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-status-by-hostname","meta":{"title":"SN-HTTP status by hostname","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-top-referrals","meta":{"title":"SN-HTTP top referrals","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-total-size","meta":{"title":"SN-HTTP total size","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-transactions-count","meta":{"title":"SN-HTTP transactions count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-transactions-details","meta":{"title":"SN-HTTP transactions details","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Map","meta":{"title":"SN-Map","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Mean-flow-age-and-count","meta":{"title":"SN-Mean flow age and count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-ALERTEventsOverTime","meta":{"title":"SN-PerVLAN-ALERTEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-DNSEventsOverTime","meta":{"title":"SN-PerVLAN-DNSEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-FILETransEventsOverTime","meta":{"title":"SN-PerVLAN-FILETransEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-HTTPEventsOverTime","meta":{"title":"SN-PerVLAN-HTTPEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-SMTPEventsOverTime","meta":{"title":"SN-PerVLAN-SMTPEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-SSHEventsOverTime","meta":{"title":"SN-PerVLAN-SSHEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-TLSEventsOverTime","meta":{"title":"SN-PerVLAN-TLSEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Proto-app_proto","meta":{"title":"SN-Proto-app_proto","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Protocol","meta":{"title":"SN-Protocol","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-AttachmentsExtension","meta":{"title":"SN-SMTP-AttachmentsExtension","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-GeoIP","meta":{"title":"SN-SMTP-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-SmtpOverTime","meta":{"title":"SN-SMTP-SmtpOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20DestIP","meta":{"title":"SN-SMTP-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20DestPort","meta":{"title":"SN-SMTP-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20MailApplications","meta":{"title":"SN-SMTP-Top20MailApplications","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20MailOrganisations","meta":{"title":"SN-SMTP-Top20MailOrganisations","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20MailSendingIPs","meta":{"title":"SN-SMTP-Top20MailSendingIPs","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20SrcIP","meta":{"title":"SN-SMTP-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20SrcPort","meta":{"title":"SN-SMTP-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20VLAN","meta":{"title":"SN-SMTP-Top20VLAN","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20VLANsOverTime","meta":{"title":"SN-SMTP-Top20VLANsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20mail_from","meta":{"title":"SN-SMTP-Top20mail_from","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20rcpt_to","meta":{"title":"SN-SMTP-Top20rcpt_to","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-ByClientProtoVer","meta":{"title":"SN-SSH-ByClientProtoVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-ByClientSoftwareVer","meta":{"title":"SN-SSH-ByClientSoftwareVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-ByServerProtoVer","meta":{"title":"SN-SSH-ByServerProtoVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-ByServerSoftwareVer","meta":{"title":"SN-SSH-ByServerSoftwareVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Client-version","meta":{"title":"SN-SSH Client version","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Connections","meta":{"title":"SN-SSH Connections","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Connections-by-appliance","meta":{"title":"SN-SSH Connections by appliance","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Connections-count","meta":{"title":"SN-SSH Connections count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-EventsOverTime","meta":{"title":"SN-SSH-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-GeoIP","meta":{"title":"SN-SSH-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Server-version","meta":{"title":"SN-SSH Server version","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Top20DestIP","meta":{"title":"SN-SSH-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Top20DestPort","meta":{"title":"SN-SSH-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Top20SrcIP","meta":{"title":"SN-SSH-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Top20SrcPort","meta":{"title":"SN-SSH-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Transaction-Details","meta":{"title":"SN-SSH TransactionDetails","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-count","meta":{"title":"SN-SSH count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-transactions-count","meta":{"title":"SN-SSH transactionscount","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-transactions-over-time","meta":{"title":"SN-SSH transactions over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Src-and-dst-IP-unique-count","meta":{"title":"SN-Src and dst IP unique count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-CapturedPktsVsGaps","meta":{"title":"SN-Stats-CapturedPktsVsGaps","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-Decoder-Deltas","meta":{"title":"SN-Stats-Decoder-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-DecoderAvgMaxPktSize","meta":{"title":"SN-Stats-DecoderAvgMaxPktSize","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-DecoderBytes-Packets","meta":{"title":"SN-Stats-DecoderBytes-Packets","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-DecoderProto-Deltas","meta":{"title":"SN-Stats-DecoderProto-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-EmergencyMode","meta":{"title":"SN-Stats-EmergencyMode","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-Frags","meta":{"title":"SN-Stats-Frags","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-Frags-Deltas","meta":{"title":"SN-Stats-Frags-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-KernelPacketsAndDrops-Deltas","meta":{"title":"SN-Stats-KernelPacketsAndDrops-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-Memcap-Deltas","meta":{"title":"SN-Stats-Memcap-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-TotalKernelPackets","meta":{"title":"SN-Stats-TotalKernelPackets","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-ipv4-ipv6-fragments","meta":{"title":"SN-Stats-ipv4-ipv6-fragments","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-memuse-Deltas","meta":{"title":"SN-Stats-memuse-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Syn-SynAck-Rst","meta":{"title":"SN-Syn-SynAck-Rst","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-ByIssuerdn","meta":{"title":"SN-TLS-ByIssuerdn","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-BySni","meta":{"title":"SN-TLS-BySni","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-BySubject","meta":{"title":"SN-TLS-BySubject","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-ByVersionBySni","meta":{"title":"SN-TLS-ByVersionBySni","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-EventsOverTime","meta":{"title":"SN-TLS-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-GeoIP","meta":{"title":"SN-TLS-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-TCP-ports","meta":{"title":"SN-TLS TCP ports","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-Top20DestIP","meta":{"title":"SN-TLS-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-Top20DestPort","meta":{"title":"SN-TLS-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-Top20SrcIP","meta":{"title":"SN-TLS-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-Top20SrcPort","meta":{"title":"SN-TLS-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-certificates-issuers-and-subjects","meta":{"title":"SN-TLS certificates issuers and subjects","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-fingerprints","meta":{"title":"SN-TLS fingerprints","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-transactions-by-appliance","meta":{"title":"SN-TLS transactions byappliance","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-transactions-count","meta":{"title":"SN-TLS transactions count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-transactions-over-time","meta":{"title":"SN-TLS transactions over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-transactions-table","meta":{"title":"SN-TLS transactions table","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-versions","meta":{"title":"SN-TLS versions","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timeline","meta":{"title":"SN-Timeline","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Alert-Category","meta":{"title":"SN-Timelion-Alert-Category","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Alert-Country","meta":{"title":"SN-Timelion-Alert-Country","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Alert-Severity","meta":{"title":"SN-Timelion-Alert-Severity","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-DNS-NULL","meta":{"title":"SN-Timelion-DNS-NULL","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-DNS-NXDOMAIN","meta":{"title":"SN-Timelion-DNS-NXDOMAIN","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-DNS-TXT","meta":{"title":"SN-Timelion-DNS-TXT","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-DNS-slash-request-slash-reply","meta":{"title":"SN-Timelion-DNS/request/reply","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Flow-App_proto","meta":{"title":"SN-Timelion-Flow-App_proto","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-HTTP-slash-DNS-slash-SMTP","meta":{"title":"SN-Timelion-HTTP/DNS/SMTP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-HTTP-statuscode-522-slash-523-slash-0","meta":{"title":"SN-Timelion-HTTP-statuscode-522/523/0","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-ICMP-request-reply","meta":{"title":"SN-Timelion-ICMP-request-reply","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-IPv4-slash-IPv6","meta":{"title":"SN-Timelion-IPv4/IPv6","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-PPS-slash-Alerts","meta":{"title":"SN-Timelion-PPS/Alerts","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-S-slash-SA-slash-R","meta":{"title":"SN-Timelion-S/SA/R","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-SSH-slash-TLS-slash-DNP3","meta":{"title":"SN-Timelion-SSH/TLS/DNP3","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Signatures","meta":{"title":"SN-Timelion-Signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-TCP-slash-UDP-flows","meta":{"title":"SN-Timelion-TCP/UDP-flows","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-host","meta":{"title":"SN-Timelion-host","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopDestPortsByCountry","meta":{"title":"SN-TopDestPortsByCountry","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopDestPortsByCountryByCity","meta":{"title":"SN-TopDestPortsByCountryByCity","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopDstIPDstPort","meta":{"title":"SN-TopDstIPDstPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopSrcIPSrcPort","meta":{"title":"SN-TopSrcIPSrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopSrcPortsByCountry","meta":{"title":"SN-TopSrcPortsByCountry","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopSrcPortsByCountryByCity","meta":{"title":"SN-TopSrcPortsByCountryByCity","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Traffic-events-type-timeline","meta":{"title":"SN-Traffic events type timeline","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Urls-visited","meta":{"title":"SN-Urls visited","icon":"visualizeApp"}},{"type":"visualization","id":"SN-VLAN-ByEventType","meta":{"title":"SN-VLAN-ByEventType","icon":"visualizeApp"}},{"type":"visualization","id":"SN-VLAN-Top20VLANsUsed","meta":{"title":"SN-VLAN-Top20VLANsUsed","icon":"visualizeApp"}},{"type":"visualization","id":"a17b9ea0-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Authentication-Sectype","icon":"visualizeApp"}},{"type":"visualization","id":"a1aa05e0-cb40-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByType","icon":"visualizeApp"}},{"type":"visualization","id":"a6376820-cb3e-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-BySrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"a987de80-1cdf-11ea-9ee1-11f0d2cd99c4","meta":{"title":"SN-ThreatHunt-HTTP-PossibleC2Beacons-BySrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"aa00adb0-c191-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"aa0139c0-d333-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-BySrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"ab975d80-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-DNS-Total","icon":"visualizeApp"}},{"type":"visualization","id":"acba4210-c1d6-11e8-9888-3f5bc9c31629","meta":{"title":"SN-FILE-ByAppProto","icon":"visualizeApp"}},{"type":"visualization","id":"ae49bf50-73f2-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"ae4b74f0-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Filename","icon":"visualizeApp"}},{"type":"visualization","id":"af7f6010-c1d7-11e8-9888-3f5bc9c31629","meta":{"title":"SN-FILE-ByHTTPByHostnameServed","icon":"visualizeApp"}},{"type":"visualization","id":"af89b340-734b-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Code","icon":"visualizeApp"}},{"type":"visualization","id":"b1b33d60-c192-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"b6471090-74d8-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"b6867ae0-c193-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-VerMajMinor","icon":"visualizeApp"}},{"type":"visualization","id":"b85da310-d332-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-Count","icon":"visualizeApp"}},{"type":"visualization","id":"b9784930-c1cb-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-ServerGUID","icon":"visualizeApp"}},{"type":"visualization","id":"bb4f69c0-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-IKEv2-Total","icon":"visualizeApp"}},{"type":"visualization","id":"bbf76020-73f3-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"bd453c20-735f-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-TotalCount","icon":"visualizeApp"}},{"type":"visualization","id":"be131f50-c1d1-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"be29a460-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientBuild","icon":"visualizeApp"}},{"type":"visualization","id":"c05711b0-d331-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByIndicators","icon":"visualizeApp"}},{"type":"visualization","id":"c1122430-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByFailedRequests","icon":"visualizeApp"}},{"type":"visualization","id":"c11cccc0-c198-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Routers-Servers","icon":"visualizeApp"}},{"type":"visualization","id":"c199c3d0-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-ByVlan","icon":"visualizeApp"}},{"type":"visualization","id":"c2fc55d0-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-File","icon":"visualizeApp"}},{"type":"visualization","id":"c3997530-74dd-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"c6659f50-73f2-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"c66d1450-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"c7d5e520-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-SSH-Total","icon":"visualizeApp"}},{"type":"visualization","id":"c8657640-c1c9-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"cdbbf0f0-caf3-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"cf040440-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Mode","icon":"visualizeApp"}},{"type":"visualization","id":"d13dacf0-c198-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Type","icon":"visualizeApp"}},{"type":"visualization","id":"d1427890-cc04-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficID","icon":"visualizeApp"}},{"type":"visualization","id":"d2061990-7d8c-11ea-af8c-954c77eacc8f","meta":{"title":"SN-TLS-ByJa3SHash","icon":"visualizeApp"}},{"type":"visualization","id":"d294cdf0-c197-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"d39f5450-cc04-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficID","icon":"visualizeApp"}},{"type":"visualization","id":"d45f0ba0-73f2-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"d4b13740-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-DHCP-Total","icon":"visualizeApp"}},{"type":"visualization","id":"d5843f00-c192-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"d5c45630-74dd-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"d6358e70-73f4-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Usm","icon":"visualizeApp"}},{"type":"visualization","id":"d6720b50-c19b-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Releays","icon":"visualizeApp"}},{"type":"visualization","id":"dcd91fb0-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Packet","icon":"visualizeApp"}},{"type":"visualization","id":"dd9b8e50-cb33-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-EventsOverTimeByVersion","icon":"visualizeApp"}},{"type":"visualization","id":"dec25e60-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientName","icon":"visualizeApp"}},{"type":"visualization","id":"dfe2a9f0-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-HTTP-Total","icon":"visualizeApp"}},{"type":"visualization","id":"e20c8650-d331-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-BySrc","icon":"visualizeApp"}},{"type":"visualization","id":"e41ad0b0-c1c9-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"e4aa4cb0-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-ConnUsernames","icon":"visualizeApp"}},{"type":"visualization","id":"e67a7c10-74de-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipCode","icon":"visualizeApp"}},{"type":"visualization","id":"e7337e70-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByMsgType","icon":"visualizeApp"}},{"type":"visualization","id":"e7c2b5c0-c197-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"ea18f570-c1d1-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"ea8a7000-c191-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"eafe1a30-73f3-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-ByVlan","icon":"visualizeApp"}},{"type":"visualization","id":"eb100030-cc04-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficLabel","icon":"visualizeApp"}},{"type":"visualization","id":"ec437ac0-c1ca-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Function","icon":"visualizeApp"}},{"type":"visualization","id":"ecbb25e0-74d7-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"ede2f660-cb40-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByStatus","icon":"visualizeApp"}},{"type":"visualization","id":"eef848e0-cb3e-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByDestIP","icon":"visualizeApp"}},{"type":"visualization","id":"f14a6010-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Server-Security-Failure","icon":"visualizeApp"}},{"type":"visualization","id":"f2024e50-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-TotalEvents","icon":"visualizeApp"}},{"type":"visualization","id":"f87379e0-c197-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"f9c21fc0-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"fab31360-c1c8-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"fcae7fd0-734a-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-EventsOverTimeByAppProto","icon":"visualizeApp"}},{"type":"visualization","id":"fd1577f0-c1c9-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"fde239e0-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByRealm","icon":"visualizeApp"}}],"errors":[{"type":"index-pattern","id":"92edee20-74c4-11ea-bb42-278f04c43ada","title":"logstash-sip-","meta":{"title":"logstash-sip-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"06e1e3c0-c1c7-11e8-9888-3f5bc9c31629","title":"logstash-smb-","meta":{"title":"logstash-smb-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"770c39b0-c1c8-11e8-9888-3f5bc9c31629","title":"logstash-tftp-","meta":{"title":"logstash-tftp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"de695070-74c3-11ea-bb42-278f04c43ada","title":"logstash-rfb-","meta":{"title":"logstash-rfb-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"e2f3d2c0-73e0-11ea-abd9-295bc1fa20bb","title":"logstash-snmp-","meta":{"title":"logstash-snmp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"35f3ece0-cae5-11e8-9f69-c36de0ada098","title":"logstash-nfs-","meta":{"title":"logstash-nfs-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"84c3b570-c190-11e8-9888-3f5bc9c31629","title":"logstash-dhcp-","meta":{"title":"logstash-dhcp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"036d9030-74eb-11ea-bb42-278f04c43ada","title":"logstash-rdp-","meta":{"title":"logstash-rdp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"defa6c90-cae7-11e8-9f69-c36de0ada098","title":"logstash-krb5-","meta":{"title":"logstash-krb5-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"cc5489c0-06e2-11eb-bd80-0b9cf2e814b3","title":"logstash-mqtt-","meta":{"title":"logstash-mqtt-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"fed9ba80-7319-11ea-b5dd-05bd1e5fbf82","title":"logstash-anomaly-","meta":{"title":"logstash-anomaly-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-flow-","title":"logstash-flow-","meta":{"title":"logstash-flow-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-fileinfo-","title":"logstash-fileinfo-","meta":{"title":"logstash-fileinfo-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"699cedb0-d31b-11e8-8a07-17cc065d3fe1","title":"logstash-dnp3-","meta":{"title":"logstash-dnp3-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-tls-","title":"logstash-tls-","meta":{"title":"logstash-tls-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-alert-","title":"logstash-alert-","meta":{"title":"logstash-alert-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-ssh-","title":"logstash-ssh-","meta":{"title":"logstash-ssh-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-http-","title":"logstash-http-","meta":{"title":"logstash-http-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"769209d0-c18a-11e8-9888-3f5bc9c31629","title":"logstash-ikev2-","meta":{"title":"logstash-ikev2-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-smtp-","title":"logstash-smtp-","meta":{"title":"logstash-smtp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-","title":"logstash-","meta":{"title":"logstash-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-dns-","title":"logstash-dns-","meta":{"title":"logstash-dns-*","icon":"indexPatternApp"},"error":{"type":"conflict"}}]
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Is there a way to load via curl to resolve the issue? Manual loading of saved objects is less than ideal given that the stack can, and often is, be torn down and re-created. I have added the curl commands to a bootstrap in logstash where these are best located. |
I meant it as a quick test to confirm if that is the case.
… --
Regards,
Peter Manev
On 26 Dec 2020, at 00:07, alphaDev23 ***@***.***> wrote:
Is there a way to load via curl to resolve the issue? Manual loading of saved objects is less than ideal given that the stack can, and often is, be torn down and re-created. I have added the curl commands to a bootstrap in logstash where these are best located.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
I attempted to import visualizations.ndjson...received: Sorry, there was an error |
Was that via the command line or gui ?
… --
Regards,
Peter Manev
On 26 Dec 2020, at 00:40, alphaDev23 ***@***.***> wrote:
I attempted to import visualizations.ndjson...received:
Sorry, there was an error
The file could not be processed due to error: "Failed to fetch"
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
On the command line you can try to ever write by adding that to the command
/_import?overwrite=true
… --
Regards,
Peter Manev
On 26 Dec 2020, at 09:32, Peter Manev ***@***.***> wrote:
Was that via the command line or gui ?
> --
> Regards,
> Peter Manev
>> On 26 Dec 2020, at 00:40, alphaDev23 ***@***.***> wrote:
>>
>
> I attempted to import visualizations.ndjson...received:
>
> Sorry, there was an error
> The file could not be processed due to error: "Failed to fetch"
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub, or unsubscribe.
|
Your suggestion appeared to resolve the issue but I'm now receiving errors in the at least the following dashboards: HTTP Alerts |
Maybe you dont have those logs/fileds for those visualizations ? |
It appears that all the logs are in the logstash-flow- indexes. Is this correct or is there an issue with templates, etc? |
It could be that you don’t have traffic ?
It could be ES template but I don’t think it seems related to the dashboards or visualisations.
… --
Regards,
Peter Manev
On 7 Jan 2021, at 21:43, alphaDev23 ***@***.***> wrote:
It appears that all the logs are in the logstash-flow- indexes. Is this correct or is there an issue with templates, etc?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
I do have http traffic. |
Any thoughts on the above? There are no logstash-http-* indexes in ES which is expected I believe in order for the SN-HTTP dashboard to work correctly. I only have 2 ES indexes related to the dashboards, logstash-flow-* and logstash-* Is there anything additional needed to be added to filebeat.yml (below)?
|
Have you made any changes to the ES template - i can not think of any other reason, it is either that or there is actually no such traffic? |
I have not made any changes to the ES template. There is http traffic on the interface (on a router), internet facing, because I have a web server on the inside interface and I can connect to from an external IP. |
Ok - (sorry did not understand) do you see that http traffic on the sniffing interface of SELKS with tcpdump ? |
The traffic is from internet -> router (running suricata and filebeat) -> ELK stack. That is, suricata is storing the logs in the eve.json file and filebeat is shipping the logs to the ELK stack. The logstash-flow and logsstash indexes are being created. The logstash-http indexes are not. Note, this was not an issue in the 6.x version. |
Do you see the http with tcpdump on the sniffing interface, just confirming ? |
Yes, there is both http and https traffic in tcpdump. I assume that the logstash-http captures both http and https. The website is accessible externally on both http and https. The traffic is showing in the eve.json file (actual IP addresses replaced with vars), e.g.
|
Ok, thank you for the update. Do you have a recent |
Here are 2, IP and DOMAIN are substituted for actual: {"timestamp":"2021-01-20T16:38:52.910511+0000","flow_id":1809817020410129,"in_iface":"eth0","event_type":"http","src_ip":"124.156.102.27","src_port":48470,"dest_ip":"<IP>","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"","url":"/","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":302,"redirect":"https://<DOMAIN>/","length":220}} |
ok , thank you for confirming. |
Yes, in Kibana all the indexes are created with different protocols including logstash-http-* |
Ok so that seems correct. |
These are not in any dashboard. The 'SN-HTTP' dashboard has a count of 0. |
Can you show the output of |
There is no logstash user on the router; Logstash is on a separate server. Filebeat is sending logs from eve.json to Elasticsearch. The issue is occurring because there are no logstash-http-* indexes being created. This differs from what was occupying in V6 of the dashboards. I've modified filebeat.yml to the what is below but it is still not working; I believe because filebeat is not identifying "event_type" in the 'output.elasticsearch.index'. Note, the addition of the variables 'setup.template.', with the exception of 'setup.template.json.', is due to a filebeat bug. These should not be needed absent the bug. Thoughts on how filebeat can send the correct index to elasticsearch by using the the 'event_type' field. filebeat.inputs:
output.elasticsearch: setup.template: |
Do you have default SELKS or you have made customizations? |
I'm not using SELKS in the architecture. The router is running suricata and filebeat which sends the logs an ELK stack. Actually, in this case, Logstash is not needed since the filebeat logs are going direct to Elasticsearch. |
I was not aware of that - that you are not using selks but a custom set up - the troubleshooting will be totally different in that case.You should look at the logstash template for SELKS and use a similar approach. |
I had the same issue, but I fixed it by changing the index pattern script code of the EveBox in logstash-alert-*. It simply because the script does not check the missing field or missing value. |
Hi Ive tried to import the dashboards following the method
Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"script_exception","reason":"runtime error","script_stack":["org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:94)","org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:41)","doc['flow_id'].value"," ^---- HERE"],"script":"doc['flow_id'].value","lang":"painless"}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"logstash-2020.04.29-000001","node":"RmOnDn2mSsWSKkNKg2bgsA","reason":{"type":"script_exception","reason":"runtime error","script_stack":["org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:94)","org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:41)","doc['flow_id'].value"," ^---- HERE"],"script":"doc['flow_id'].value","lang":"painless","caused_by":{"type":"illegal_argument_exception","reason":"No field found for [flow_id] in mapping with types []"}}}]},"status":400}
Im reading from a Remote PFSENSE via Filebeats. The logs hit Elastic after all of the filtering etc..
Thank you
The text was updated successfully, but these errors were encountered: