New Install Not Ingesting Zeek Logs #13032

imaohw1337 · 2024-05-16T22:37:05Z

imaohw1337
May 16, 2024

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

24

RAM

64gb

Storage for /

447gb

Storage for /nsm

6705gb

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Brand new install of 2.4.60. Have a ManagerSearch node and 3 Forward nodes. No event.module: "zeek" logs are being ingested.

Suricata logs are coming in from the sensors and elastic agent logs coming in fine but not the Zeek logs. I see Zeek logs being generated on the sensors under /nsm/zeek/logs/* just not being ingested in our Manager it looks like.

The deployment otherwise is healthy - (Grid, elastic-agent status, so-status) show running + healthy + low resource usage. Any insight on what might be the problem?

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by imaohw1337

Jun 4, 2024

Update from 2.4.60 to 2.4.70 miraculously fixed. Zeek logs now coming in.

View full answer

imaohw1337 · 2024-05-17T22:45:44Z

imaohw1337
May 17, 2024
Author

Running "so-elasticsearch-query logs-zeek-so/_search?q=event.dataset:conn", I get the following:

{"error":{"root_cause":[{"type":"index_not_found_exception","reason":"no such index [logs-zeek-so]","resource.type":"index_or_alias","resource.id":"logs-zeek-so","index_uuid":"_na_","index":"logs-zeek-so"}],"type":"index_not_found_exception","reason":"no such index [logs-zeek-so]","resource.type":"index_or_alias","resource.id":"logs-zeek-so","index_uuid":"_na_","index":"logs-zeek-so"},"status":404}[

5 replies

imaohw1337 May 20, 2024
Author

In SOC, navigate to Administration > Configuration > global > mdengine is that set to Zeek?

Yes

If so, navigate to Fleet and check the so-grid-nodes_general agent policy and check if zeek-logs is there.

In so-grid-nodes_general, I'm not seeing zeek-logs under integrations

cm-ops May 21, 2024
Maintainer

It appears the integration did not get loaded for some reason, please do the below.

Remove /opt/so/state/eaintegrations.txt and run sudo so-elastic-fleet-integration-policy-load and recheck so-grid-nodes_general for zeek-logs.

imaohw1337 May 22, 2024
Author

Command ran ok however still not seeing zeek-logs show up.

imaohw1337 Jun 4, 2024
Author

Update from 2.4.60 to 2.4.70 miraculously fixed. Zeek logs now coming in.

Answer selected by imaohw1337

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

New Install Not Ingesting Zeek Logs #13032

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 5 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

New Install Not Ingesting Zeek Logs #13032

Uh oh!

imaohw1337 May 16, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment · 5 replies

Uh oh!

imaohw1337 May 17, 2024 Author

Uh oh!

imaohw1337 May 20, 2024 Author

Uh oh!

cm-ops May 21, 2024 Maintainer

Uh oh!

imaohw1337 May 22, 2024 Author

Uh oh!

imaohw1337 Jun 4, 2024 Author

imaohw1337
May 16, 2024

Replies: 1 comment 5 replies

imaohw1337
May 17, 2024
Author

imaohw1337 May 20, 2024
Author

cm-ops May 21, 2024
Maintainer

imaohw1337 May 22, 2024
Author

imaohw1337 Jun 4, 2024
Author