Zeek filebeat - HTTP and TLS events not fully populating

lw24 · March 24, 2020, 12:28pm

I have a Security Onion VM with Filebeats on it with Zeek module enabled. I've edited the zeek.yml file to point to /nsm/bro/logs/current and have all the events being pulled through to Kibana.

DNS events are fully populating with source and destination IP, however HTTP and TLS are not. HTTP events in kibana contain source and destination ports as well as the HTTP response, but don't contain IP.
SSL events are the same, not populating with source and destination IP.

Any advice would be really appreciated!

lw24 · March 31, 2020, 7:30pm

Can anyone help with this?

I've edited the Zeek filebeat config within Security Onion to pull the source and destination IP through, however in Kibana SIEM there are still no events populating under HTTP or TLS.

Frank_Hassanabad · April 4, 2020, 4:56pm

Hi @lw24, what version of the beats and Kibana are you running? Is it 7.6.2 right now?

We had this bug where TLS is not populating when using beats 7.6.2 and Kibana 7.6.2:

Where the fix is projected to land in the upcoming 7.2.0

lw24 · April 11, 2020, 11:14am

Elasticsearch and Kibana are v7.6.1

system · May 9, 2020, 11:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.