Zeek & ELK integration (A lot of strange fields)

Elastic Stack Beats
1

Hi there,
I set up ELK and then beats on Zeek server to send data to Elasticsearch.
Everything is good except one: there are a lot of fields - 308

2021-09-18 21_19_24-ELK - VMware Workstation
2021-09-18 21_19_24-ELK - VMware Workstation1830×779 182 KB

And it creates an element of inconvenience for me to create a search. I think I've done something wrong, set it up wrong somewhere. There are even fields with the prefix "suricata".
2021-09-18 21_33_26-ELK - VMware Workstation
2021-09-18 21_33_26-ELK - VMware Workstation1837×863 205 KB

How did you send Zeek logs to the ELK? What is your configuration?
What inputs do you need from me?

2

Hi, I think the problem is in the pipeline, maybe is missing from elastic, so the fields are not renamed, transformed, etc; this tutorial let you check all the steps for collecting the logs:

3

I did everything like in this guide.
But It didn't help.

4

I believe all the suricata fields are showing because they're aliases of the ECS fields. I believe this has been fixed for future versions.

5

It's okay that there are a lot of fields?

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.