Hi, I followed the steps mentioned in your blog to send zeek logs to elastic. I installed zeek version 4.0.7 and filebeat version 7.17.5. Elasticsearch and kibana version is 7.15.0. Filebeats is unable to send zeek logs to elastic under the category event.module : “zeek”. Rather logs are visible in discover tab in general.
@timestamp:
Jul 26, 2022 @ 08:56:48.537
agent.ephemeral_id:
a330a046-34d5-48a0-8a57-c24ba0d97fe4
agent.hostname:
bakhtawar
agent.id:
5542248b-ad82-4666-be57-6cb13db685de
agent.name:
bakhtawar
agent.type:
filebeat
agent.version:
7.17.5
container.id:
ssl.log
ecs.version:
1.12.0
host.architecture:
x86_64
host.containerized:
false
host.hostname:
bakhtawar
host.id:
fd55a894765441258c780e102d780210
host.ip:
10.0.2.5, fe80::9b4:1ec:5e3a:c4c4
host.mac:
08:00:27:0e:7f:66
host.name:
bakhtawar
host.os.codename:
focal
host.os.family:
debian
host.os.kernel:
5.15.0-41-generic
host.os.name:
Ubuntu
host.os.platform:
ubuntu
host.os.type:
linux
host.os.version:
20.04.3 LTS (Focal Fossa)
input.type:
filestream
log.file.path:
/opt/zeek/logs/current/ssl.log
log.offset:
10,392
message:
However, when I view the logs under event module zeek, it shows no results. Can you please tell why is it showing this abnormal behaviour? Thankyou.