I followed the official documentation and I’ve changed zeek’s output to json logs but somehow zeek module from Filebeat does’t enrich data with ECS fields. Filebeat sends the logs, but without adding the extra fields as per ECS and it’s github code. Just to give you an example there is no event.dataset or source.ip etc.
So there is a few things we need to rule out here to find out where the issue might be, if its in our parsing or just a misconfiguration somewhere.
Would you be able to provide a single line from the logfile you are trying to read? And if possible a copy of the filebeat.yml and zeek.yml file? Feel free to remove or obsfucate any sensitive information like usernames and passwords etc.
So the instalation is not quite straight forward, but I managed to run ELK with docker. I think a video demo with the instalation of ELK would help a lot the community.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
