I have a Security Onion VM with Filebeats on it with Zeek module enabled. I've edited the zeek.yml file to point to /nsm/bro/logs/current and have all the events being pulled through to Kibana.
DNS events are fully populating with source and destination IP, however HTTP and TLS are not. HTTP events in kibana contain source and destination ports as well as the HTTP response, but don't contain IP.
SSL events are the same, not populating with source and destination IP.
I've edited the Zeek filebeat config within Security Onion to pull the source and destination IP through, however in Kibana SIEM there are still no events populating under HTTP or TLS.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.