logstash cfg

input {
  lumberjack {
    # The port to listen on
    port => 5043

    # The paths to your ssl cert and key
    ssl_certificate => "/etc/logstash/pki/lumberjack.pub"
    ssl_key => "/etc/logstash/pki/lumberjack.key"

    # Set this to whatever you want.
    codec => json
  }
}

output {
  elasticsearch { embedded => true }
}

logstash-forwarder cfg

{
  "network": {
    "servers": [ "xxx:5043" ],
    "ssl certificate": "./lumberjack.pub",
    "ssl key": "./lumberjack.key",
    "ssl ca": "./lumberjack.pub"
  },
  "files": [
    {
      "paths": [ "/var/log/suricata/eve.json" ],
      "fields": { "type": "suricata" }
    }
  ]
}

original logfile (eve-log)

{"timestamp":"2014-03-06T21:16:37.504348","event_type":"file","src_ip":"145.58.28.182","src_port":80,"dest_ip":"192.168.1.3","dest_port":50299,"proto":"TCP","http":{"url":"/data/video/xs/2014/03/06/2000davidjan-CNO140306WY_1.jpg","hostname":"content.nos.nl","http_refer":"http://nos.nl/nieuws/","http_user_agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0"},"file":{"filename":"/data/video/xs/2014/03/06/2000davidjan-CNO140306WY_1.jpg","magic":"JPEG image data, JFIF standard 1.01, comment: \"CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 75\"","state":"CLOSED","md5":"5555df62babf01d13bbc07ba57c9d83a","stored":false,"size":2773}}

raw data of similar record with codec 'plain'

{
  "_index": "logstash-2014.03.06",
  "_type": "suricata",
  "_id": "R27_77lYRnWXVp4ri_J5Fg",
  "_score": null,
  "_source": {
    "message": "{\"timestamp\":\"2014-03-06T21:30:35.125828\",\"event_type\":\"file\",\"src_ip\":\"62.69.174.75\",\"src_port\":80,\"dest_ip\":\"192.168.x.x\",\"dest_port\":34782,\"proto\":\"TCP\",\"http\":{\"url\":\"/blah/\",\"hostname\":\"www.nu.nl\",\"http_refer\":\"http://www.nu.nl/\",\"http_user_agent\":\"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0\"},\"file\":{\"filename\":\"/achterklap/\",\"magic\":\"HTML document, ASCII text\",\"state\":\"CLOSED\",\"md5\":\"35075416e27fee1cb94d58a050fe893c\",\"stored\":false,\"size\":65536}}",
    "@version": "1",
    "@timestamp": "2014-03-06T21:31:57.295Z",
    "file": "/var/log/suricata/eve.json",
    "host": "n270",
    "offset": "37227879",
    "type": "suricata"
  },
  "sort": [
    1394141517295,
    1394141517295
  ]
}

raw data view in kibana

{
  "_index": "logstash-2014.03.06",
  "_type": "suricata",
  "_id": "wJPl4nfISd2sXV-CwoUQog",
  "_score": null,
  "_source": {
    "timestamp": "2014-03-06T21:16:37.504348",
    "event_type": "file",
    "src_ip": "145.58.28.182",
    "src_port": 80,
    "dest_ip": "192.168.1.3",
    "dest_port": 50299,
    "proto": "TCP",
    "http": {
      "url": "/data/video/xs/2014/03/06/2000davidjan-CNO140306WY_1.jpg",
      "hostname": "content.nos.nl",
      "http_refer": "http://nos.nl/nieuws/",
      "http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0"
    },
    "file": "/var/log/suricata/eve.json",
    "@version": "1",
    "@timestamp": "2014-03-06T21:16:38.831Z",
    "host": "n270",
    "offset": "34768112",
    "type": "suricata"
  },
  "sort": [
    1394140598831,
    1394140598831
  ]
}

Note that the original contains

"file":{"filename":"/data/video/xs/2014/03/06/2000davidjan-CNO140306WY_1.jpg","magic":"JPEG image data, JFIF standard 1.01, comment: \"CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 75\"","state":"CLOSED","md5":"5555df62babf01d13bbc07ba57c9d83a","stored":false,"size":2773}}

The kibana data doesn't show it and it instead has:

"file": "/var/log/suricata/eve.json",