Zeek filebeat - HTTP and TLS events not fully populating

lw24 · March 24, 2020, 12:28pm

I have a Security Onion VM with Filebeats on it with Zeek module enabled. I've edited the zeek.yml file to point to /nsm/bro/logs/current and have all the events being pulled through to Kibana.

DNS events are fully populating with source and destination IP, however HTTP and TLS are not. HTTP events in kibana contain source and destination ports as well as the HTTP response, but don't contain IP.
SSL events are the same, not populating with source and destination IP.

Any advice would be really appreciated!

lw24 · March 31, 2020, 7:30pm

Can anyone help with this?

I've edited the Zeek filebeat config within Security Onion to pull the source and destination IP through, however in Kibana SIEM there are still no events populating under HTTP or TLS.

Frank_Hassanabad · April 4, 2020, 4:56pm

Hi @lw24, what version of the beats and Kibana are you running? Is it 7.6.2 right now?

We had this bug where TLS is not populating when using beats 7.6.2 and Kibana 7.6.2:

Where the fix is projected to land in the upcoming 7.2.0

lw24 · April 11, 2020, 11:14am

Elasticsearch and Kibana are v7.6.1

system · May 9, 2020, 11:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Zeek dns logs show only as zeek.notice leaving dns fields empty SIEM beats-module	1	980	December 11, 2019
I can't see Zeek's http.log in Kibana but everything else (DNS, SSL, etc.) is fine Beats filebeat	2	1554	March 2, 2020
I'm not seeing any geoip data from my zeek logs in my SIEM map SIEM	3	938	September 9, 2019
Filebeat + zeekmodule to elastic + kibana Beats beats-module , filebeat	7	3890	December 5, 2019
Zeek Filebeat Module to Logstash JSON Logstash	2	703	October 22, 2019

Zeek filebeat - HTTP and TLS events not fully populating

Related topics