Zeek dns.log populated locally but not showing in Kibana DNS dashboard

[SysAdminShed]

Version

2.4.150

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

296

Storage for /

265GB

Storage for /nsm

1.4TB

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Was told to open a discussion instead : #14674

Describe the bug
dns.log is correctly generated in /nsm/zeek/logs/current/ and contains valid entries, but these entries are not appearing in Kibana, specifically in the Zeek DNS dashboard or dns.log* in the Discover tab. conn.log entries are visible and contain VLAN tags, indicating traffic capture and parsing works correctly.

To Reproduce

Install Security Onion on bare metal (non-cloud image), latest version as of May 2025.

Add Intel quad 1Gb NIC (49Y4242), connect VLAN-tagged trunk port (no mirroring) from Aruba 5400R ZL2 core switch to ens2f3.

Run so-monitor-add to add ens2f3 to bond0.

Run:

sudo ethtool -K ens2f3 rxvlan off txvlan off gro off gso off tso off

Reboot and verify with: tcpdump -i ens2f3 -n

Output shows valid 802.1Q tagged DNS traffic.

Check /nsm/zeek/logs/current/dns.log – entries present.

Open Kibana → Discover or Zeek DNS Dashboard.

Search for DNS entries → none are visible.

Expected behavior
dns.log entries should be parsed and forwarded to Elasticsearch, then visible in Kibana via dns.log* in Discover or Zeek dashboards.

cat /nsm/zeek/logs/current/dns.log | wc -l

Additional context
Install type: Bare metal (not a cloud image)

NIC: Intel 49Y4242 (quad 1Gb)

Interface setup:

ens2f3 receives tagged VLANs from H14 on Aruba switch (no mirroring)

All VLANs (1-20) are tagged to this port

Interface added to bond0 using so-monitor-add

Software versions: Latest Security Onion 2 (as of May 2025)

Zeek process status: All expected Zeek processes are running, capturing on af_packet::bond0

Suricata also running on bond0 and capturing alerts

conn.log entries show VLAN traffic working correctly

Issue persists after:

Disabling offloads (rxvlan, txvlan, gro, gso, tso)

Full system reboot

Verifying time range and index pattern in Kibana

Restarting Kibana and Logstash

No custom BPF filter set (/opt/so/conf/zeek.bpf is default or empty)

Please advise whether this may be due to missing Logstash pipeline processing, index template issues, or another known caveat with VLAN-tagged DNS packets in Zeek/Kibana under SO.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.