Hello everyone,
Filebeat Zeek Module -> Logstash -> ES -> Kibana SIEM 7.4.0 setup showing zeek DNS, SSL etc logs only as zeek.notice logs (e.g. instead of zeek.dns.query there are only zeek.notice.query). All the mappings are basic, index re-created, but still there is no data within SIEM network hosts except for ip-related info (empty Top DNS domains, DNS queries, TLS handshakes) or [Filebeat Zeek] Overview (empty visualisations for Top DNS Domains, Network Application, Network Traffic Direction, Top SSL Servers).
Zeek Module set up to harvest all those logs but they only appear as fileset zeek.notice subsets and therefore do not show up in Kibana dashboards.
Is that a feature, or should there be some switch within Filebeat setup to get it back working?