I have a Security Onion VM with Filebeats on it with Zeek module enabled. I've edited the zeek.yml file to point to /nsm/bro/logs/current and have all the events being pulled through to Kibana.
DNS events are fully populating with source and destination IP, however HTTP and TLS are not. HTTP events in kibana contain source and destination ports as well as the HTTP response, but don't contain IP.
SSL events are the same, not populating with source and destination IP.
Any advice would be really appreciated!