Zeek module not processing logs

thurbs · April 4, 2025, 5:43pm

Rocky 9 VM. Zeek version 6.0.4

Running into an issue where filebeat isn't processing zeek logs after enabling zeek module. I can get filebeat to process the logs manually through filebeat.yml

I verify through journalctl that filebeat is configuring the intended path of /var/zeek/logs/current/conn.log

Here's my zeek.yml

# Module: zeek
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.17/filebeat-module-zeek.html

- module: zeek
  connection:
    enabled: true
    var.paths: ["/var/zeek/logs/current/conn.log"]

Would love any guidance or help.

Topic		Replies	Views
Issue with Filebeat Zeek module Beats filebeat	18	792	March 15, 2024
Zeek monitoring using filebeats Beats filebeat	7	338	December 13, 2022
Using Filebeat with Zeek (issue with configuration) Beats filebeat	6	5025	September 26, 2019
Filebeat zeek module shows no data Beats filebeat	1	288	August 24, 2022
I can't see Zeek's http.log in Kibana but everything else (DNS, SSL, etc.) is fine Beats filebeat	2	1610	March 2, 2020

Zeek module not processing logs

Related topics