Import of Zeek and Suricata logs fail

[wakefast]

I have configured an import instance of Security Onion (2.4.20-2023-10-12) in VirtualBox (Windows 10).
I have not changed anything in the standard configuration.

The goal is to import Zeek (version 6.0.1) and Suricata (version 6.0.10) logs that are collected elsewhere (not from a SO sensor).
I am experiencing issues with getting the content of the log files (actually any log files) into SOC.

I have placed the Zeek files (in JSON format) in the folder:
/nsm/import/Zeek/
The Suricata file (eve.json) is located here:
/nsm/import/Suricata/

The logfiles have permission “rwxrw_rw_”.
Timestamps of the logfiles have been “touch”ed to current time.

The logs from Zeek are imported in SOC as empty network logs.
The Suricata logs never arrives.

The Zeek logs are accompanied by a list of error messages, all related to the following:
• error.message TypeError: Cannot read property 'slice' of undefined at process (inline.js:2:21(7))
• log.file.path /nsm/import/zeek/weird.11_01_36-12_00_00.log (for this specific weird log, the same is true for conn, DNS, HTTP, etc.)
• log.flags [ "dissect_parsing_error" ]
• tags [ "_js_exception" ]

I have checked the JSON format of the Zeek files and all looks ok.
I have attached the event_dataset/category overview that shows a lot of empty syslogs from the SO system.

Any suggestions on what could be wrong?

[dougburks]

We can't guarantee that our parsers will parse your Zeek and Suricata logs.

Since we already have our own Zeek and Suricata built in, you can try importing a pcap file using so-import-pcap:
https://docs.securityonion.net/en/2.4/so-import-pcap.html
https://docs.securityonion.net/en/2.4/first-time-users.html

This has the added benefit of allowing you to pivot from a Suricata alert or Zeek log to the full packet capture for that stream.