2.3 - Some Zeek logs (Syslog) not showing up in SecOnion or Elastic #12098

subs1138 · 2024-01-02T14:54:08Z

subs1138
Jan 2, 2024

Still on Sec Onion 2.3.190, hope to upgrade soon.

The issue I am having is that not all of my Zeek logs are showing up in Sec Onion or Elastic. The one I really care about that is missing is the Zeek Syslog.

I went checked so-zeek-logs and everything was already [*]. I also browsed to /nsm/zeek/logs/current/ and see that there is a syslog.log and it has events in to. But when I go to the hunt dashboard and do a [ * | groupby log.file.path ] there are only 7 zeek files listed.

I am reading through the docs, but can't find what I am doing wrong. What am I missing?

Thank you.

Answered by dougburks

Jan 3, 2024

I went checked so-zeek-logs and everything was already [*]. I also browsed to /nsm/zeek/logs/current/ and see that there is a syslog.log and it has events in to. But when I go to the hunt dashboard and do a [ * | groupby log.file.path ] there are only 7 zeek files listed.

In so-zeek-logs, have you tried selecting Ok for it to apply the configuration with syslog enabled?
https://docs.securityonion.net/en/2.3/so-zeek-logs.html

Have you checked the zeeklogs:enabled pillar?
https://docs.securityonion.net/en/2.3/filebeat.html#configuration

Still on Sec Onion 2.3.190, hope to upgrade soon.

2.3.190 is over a year old:
https://blog.securityonion.net/2022/12/security-onion-23190-now-available.…

View full answer

dougburks · 2024-01-03T12:22:26Z

dougburks
Jan 3, 2024
Maintainer

I went checked so-zeek-logs and everything was already [*]. I also browsed to /nsm/zeek/logs/current/ and see that there is a syslog.log and it has events in to. But when I go to the hunt dashboard and do a [ * | groupby log.file.path ] there are only 7 zeek files listed.

In so-zeek-logs, have you tried selecting Ok for it to apply the configuration with syslog enabled?
https://docs.securityonion.net/en/2.3/so-zeek-logs.html

Have you checked the zeeklogs:enabled pillar?
https://docs.securityonion.net/en/2.3/filebeat.html#configuration

Still on Sec Onion 2.3.190, hope to upgrade soon.

2.3.190 is over a year old:
https://blog.securityonion.net/2022/12/security-onion-23190-now-available.html

Before we spend too much time troubleshooting such an old version, please upgrade to the latest 2.3 version or (even better) migrate to 2.4.

2.3 reaches End Of Life in about 3 months:
https://blog.securityonion.net/2023/12/4-month-end-of-life-eol-reminder-for.html

0 replies

subs1138 · 2024-01-03T18:04:18Z

subs1138
Jan 3, 2024
Author

When I went into so-zeek-logs, syslog and everthing else was already checked. I think I hit OK but can't say for sure. I decided to try unchecking it, hitting Ok, then restarting, then recheck...

After unchecking & rebooting I went back in to recheck it, but it was already checked. ???

When I went to look into the pillar link you sent, there is no yml or any other file in /opt/so/saltstack/local/salt/filebeat/etc/ .

Very strange. Expediting the 2.4 rebuild is going to be the best answer, but may clone it just so I can keep poking.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

2.3 - Some Zeek logs (Syslog) not showing up in SecOnion or Elastic #12098

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

2.3 - Some Zeek logs (Syslog) not showing up in SecOnion or Elastic #12098

Uh oh!

subs1138 Jan 2, 2024

Replies: 2 comments

Uh oh!

dougburks Jan 3, 2024 Maintainer

Uh oh!

subs1138 Jan 3, 2024 Author

subs1138
Jan 2, 2024

dougburks
Jan 3, 2024
Maintainer

subs1138
Jan 3, 2024
Author