Zeek filebeat - HTTP and TLS events not fully populating

I have a Security Onion VM with Filebeats on it with Zeek module enabled. I've edited the zeek.yml file to point to /nsm/bro/logs/current and have all the events being pulled through to Kibana.

DNS events are fully populating with source and destination IP, however HTTP and TLS are not. HTTP events in kibana contain source and destination ports as well as the HTTP response, but don't contain IP.
SSL events are the same, not populating with source and destination IP.

Any advice would be really appreciated!

Can anyone help with this?

I've edited the Zeek filebeat config within Security Onion to pull the source and destination IP through, however in Kibana SIEM there are still no events populating under HTTP or TLS.

Hi @lw24, what version of the beats and Kibana are you running? Is it 7.6.2 right now?

We had this bug where TLS is not populating when using beats 7.6.2 and Kibana 7.6.2:

Where the fix is projected to land in the upcoming 7.2.0

Elasticsearch and Kibana are v7.6.1

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.