Hi Everyone,
ELK newb here. I do not have data appearing in the Filebeat Zeek Dashboard.
I have two servers in a lab environment both running Ubuntu 18.04. The first server is running Zeek and Filebeat with Zeek module enabled. The second server is running Elasticsearch and Kibana. I'm running the newest version of Elasticsearch, 7.8.1.
I have been following the walkthroughs for installing Elasticsearch, Kibana, and Filebeat, so I don't believe I have anything out of the ordinary in my configurations.
I have Zeek logs showing up in Logs and Discovery. See screenshot for sample log.
However, they are not showing in the Dashboards. After inspecting the Visualization, it appears the logs are showing up (Hits (total)), but are not being returned by the query (Hits). See attached screenshot.
Also, if I take the query request (zeek.dns.query) and put it in Discovery, nothing is returned.
I've rebuilt the lab twice and tried expanding the time, but results are the same. I feel like I'm missing something in the mapping between the logs and the query. Please let me know what else I can provide. Your guidance and recommendations are greatly appreciated.
Thanks,
George