No parsing of suricata events when running in offline PCAP modus

[hsportel]

Scenario:

Elastic 7.x / 8.x: when running filebeat / or elastic agent for suricata, there is no mapping/parsing of events in ECS,
If you use suricata in offline PCAP modus, only the last suricata "stats" entry in the eve.json is being mapped.

If you run suricata in live modus, (listening on the network interface) there is no problem with mapping of events.

[botelastic]

This issue doesn't have a Team:<team> label.

[botelastic]

Thank you very much for creating this issue. However, we would kindly like to ask you to post all questions and issues on the Discuss forum first. In addition to awesome, knowledgeable community contributors, core Beats developers are on the forums every single day to help you out as well. So, your questions will reach a wider audience there, and if we confirm that there is a bug, then you can reopen this issue with the new information or open a new one.

[botelastic]

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

[hsportel]

Is no longer a issue anymore!