Replies: 2 comments
-
|
First, what process in using Second, it looks like you are importing/replaying the Zeek logs. The pipeline is When you say Detections finds ETOPEN malware, do you mean you see a sigma alert or Suricata alert for that rule category? I am not clear on your title. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
From the little I know to find the answers
It looks like Docker-Proxy container is holding the port.
I tried finding which log I viewed when I found some errors.
Right now It started working. Not sure why
From: Chris Morgret ***@***.***>
Sent: Tuesday, February 24, 2026 8:04 AM
To: Security-Onion-Solutions/securityonion ***@***.***>
Cc: kcornny ***@***.***>; Author ***@***.***>
Subject: Re: [Security-Onion-Solutions/securityonion] Pcap empty, dections finds etopen malware but it don't go to alerts (Discussion #15516)
First, what process in using port 57314?
Second, it looks like you are importing/replaying the Zeek logs. The pipeline is zeek.conn not zeek.conn.2026-02-21-10-00-00. Is this the case?
When you say Detections finds ETOPEN malware, do you mean you see a sigma alert or Suricata alert for that rule category? I am not clear on your title.
-
Reply to this email directly, view it on GitHub<#15516 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/B6ZJIQPK3M5BMTARXRSHBMT4NRK5RAVCNFSM6AAAAACV4YWXZSVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTKOJRGEZTOOA>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.200
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Standalone
Location
on-prem with Internet access
Hardware Specs
Meets minimum requirements
CPU
2
RAM
16gb
Storage for /
82.8
Storage for /nsm
161.4
Network Traffic Collection
span port
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
Yes, there are salt failures (please provide detail below)
Logs
No, there are no additional clues
Detail
The logstash shows warn messages ass well as the salt-call state.highstate
The highstate is waning that strelka port in use
ID: strelkaportavailable
Function: cmd.run
Name: netstat -utanp | grep ":57314" | grep -qvE 'docker|TIME_WAIT' && PROCESS=$(netstat -utanp | grep ":57314" | uniq) && echo "Another process ($PROCESS) appears to be using port 57314. Please terminate this process, or reboot to ensure a clean state so that Strelka can start properly." && exit 1 || exit 0
Result: True
Comment: Command "netstat -utanp | grep ":57314" | grep -qvE 'docker|TIME_WAIT' && PROCESS=$(netstat -utanp | grep ":57314" | uniq) && echo "Another process ($PROCESS) appears to be using port 57314. Please terminate this process, or reboot to ensure a clean state so that Strelka can start properly." && exit 1 || exit 0" run
Started: 13:53:44.069217
Duration: 67.893 ms
Changes:
----------
pid:
3399315
retcode:
0
stderr:
stdout:
[2026-02-21T10:31:07,020][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index= >"logs-zeek-so", :routing=>nil, :pipeline=>"zeek.conn.2026-02-21-10-00-00"}, {"m essage"=>"{"ts":1771666220.20989,"uid":"CNx5h32WAiuUoQJ4e3","id.orig_h": "2600:1700:b0d0:769f::1004","id.orig_p":60658,"id.resp_h":"2603:1037:1:11 8::80","id.resp_p":443,"proto":"tcp","service":"ssl","duration":283 9.6685531139374,"orig_bytes":5166,"resp_bytes":25357,"conn_state":"S1",\ "local_orig":false,"local_resp":false,"missed_bytes":0,"history":"ShADad ","orig_pkts":258,"orig_ip_bytes":20666,"resp_pkts":300,"resp_ip_bytes" :43369,"ip_proto":6,"community_id":"1:AiO1gyX3DhKNrsgQSjPpsipIzZ4=","orig mac_oui":"Sunrich Technology Limited"}", "pipeline"=>"conn.2026-02-21-10-00- 00", "type"=>"redis-input", "@timestamp"=>2026-02-21T10:25:08.549Z, "data_stream "=>{"type"=>"logs", "namespace"=>"so", "dataset"=>"zeek"}, "ecs"=>{"version"=>"8 .0.0"}, "container"=>{"id"=>"conn.2026-02-21-10-00-00.log"}, "log"=>{"offset"=>2 399652, "file"=>{"path"=>"/nsm/zeek/logs/current/conn.2026-02-21-10-00-00.log"}} , "host"=>{"mac"=>["6E-2D-0B-ED-62-EA", "AC-00-F9-04-B0-AE", "FC-3F-DB-03-37-53" ], "hostname"=>"soc", "containerized"=>false, "id"=>"f13ee27ddf9641c582917a97a52 fee2f", "os"=>{"family"=>"redhat", "type"=>"linux", "version"=>"9.7", "platform" =>"ol", "name"=>"Oracle Linux Server", "kernel"=>"5.15.0-317.197.5.1.el9uek.x86 64"}, "name"=>"soc", "architecture"=>"x86_64"}, "tags"=>["elastic-agent", "input -soc", "beats_input_codec_plain_applied"], "agent"=>{"type"=>"filebeat", "name"= >"soc", "ephemeral_id"=>"99fbbab1-fefa-44b9-9465-669ff0f58dbf", "version"=>"8.18 .8", "id"=>"6f280558-3833-4c4c-a115-1ffc1f4a3676"}, "event"=>{"category"=>"netwo rk", "module"=>"zeek", "dataset"=>"zeek"}, "@Version"=>"1", "input"=>{"type"=>"l og"}, "elastic_agent"=>{"snapshot"=>false, "version"=>"8.18.8", "id"=>"6f280558- 3833-4c4c-a115-1ffc1f4a3676"}, "metadata"=>{"pipeline"=>"zeek.conn.2026-02-21-10 -00-00", "beat"=>"filebeat", "type"=>"_doc", "stream_id"=>"logfile-log.logs-zeek -logs", "version"=>"8.18.8", "raw_index"=>"logs-zeek-so", "input"=>{"beats"=>{"h ost"=>{"ip"=>"172.17.1.1"}}}, "input_id"=>"logfile-logs-zeek-logs"}}], :response =>{"create"=>{"status"=>400, "error"=>{"type"=>"illegal_argument_exception", "re ason"=>"pipeline with id [zeek.conn.2026-02-21-10-00-00] does not exist"}}}}
[2026-02-21T10:31:07,021][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index= >"logs-zeek-so", :routing=>nil, :pipeline=>"zeek.conn.2026-02-21-10-00-00"}, {"m essage"=>"{"ts":1771668235.900235,"uid":"CpPCYkX1CnURxYRke","id.orig_h": "fe80::1:1","id.orig_p":136,"id.resp_h":"fe80::48df:9ff:fe8e:7932","id. resp_p":135,"proto":"icmp","duration":839.1093909740448,"orig_bytes":64 8,"resp_bytes":384,"conn_state":"OTH","local_orig":true,"local_resp":t rue,"missed_bytes":0,"orig_pkts":40,"orig_ip_bytes":2568,"resp_pkts":16, "resp_ip_bytes":1152,"ip_proto":58,"community_id":"1:wXXNadSD0xzm0epccwKy f7SroKU=","orig_mac_oui":"Globalscale Technologies, Inc."}", "pipeline"=>"c onn.2026-02-21-10-00-00", "type"=>"redis-input", "@timestamp"=>2026-02-21T10:25: 08.550Z, "data_stream"=>{"type"=>"logs", "namespace"=>"so", "dataset"=>"zeek"}, "ecs"=>{"version"=>"8.0.0"}, "container"=>{"id"=>"conn.2026-02-21-10-00-00.log"} , "log"=>{"offset"=>2401686, "file"=>{"path"=>"/nsm/zeek/logs/current/conn.2026- 02-21-10-00-00.log"}}, "host"=>{"mac"=>["6E-2D-0B-ED-62-EA", "AC-00-F9-04-B0-AE" , "FC-3F-DB-03-37-53"], "hostname"=>"soc", "containerized"=>false, "id"=>"f13ee2 7ddf9641c582917a97a52fee2f", "os"=>{"family"=>"redhat", "type"=>"linux", "versio n"=>"9.7", "platform"=>"ol", "name"=>"Oracle Linux Server", "kernel"=>"5.15.0-31 7.197.5.1.el9uek.x86_64"}, "name"=>"soc", "architecture"=>"x86_64"}, "tags"=>["e lastic-agent", "input-soc", "beats_input_codec_plain_applied"], "agent"=>{"type" =>"filebeat", "name"=>"soc", "ephemeral_id"=>"99fbbab1-fefa-44b9-9465-669ff0f58d bf", "version"=>"8.18.8", "id"=>"6f280558-3833-4c4c-a115-1ffc1f4a3676"}, "event" =>{"category"=>"network", "module"=>"zeek", "dataset"=>"zeek"}, "@Version"=>"1", "input"=>{"type"=>"log"}, "elastic_agent"=>{"snapshot"=>false, "version"=>"8.18 .8", "id"=>"6f280558-3833-4c4c-a115-1ffc1f4a3676"}, "metadata"=>{"pipeline"=>"ze ek.conn.2026-02-21-10-00-00", "beat"=>"filebeat", "type"=>"_doc", "stream_id"=>" logfile-log.logs-zeek-logs", "version"=>"8.18.8", "raw_index"=>"logs-zeek-so", " input"=>{"beats"=>{"host"=>{"ip"=>"172.17.1.1"}}}, "input_id"=>"logfile-logs-zee k-logs"}}], :response=>{"create"=>{"status"=>400, "error"=>{"type"=>"illegal_arg ument_exception", "reason"=>"pipeline with id [zeek.conn.2026-02-21-10-00-00] do es not exist"}}}}
[2026-02-21T10:31:07,633][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index= >"logs-zeek-so", :routing=>nil, :pipeline=>"zeek.conn.2026-02-21-10-00-00"}, {"m essage"=>"{"ts":1771668616.635086,"uid":"CUJBVu1WMZLmZGTISi","id.orig_h" :"192.168.1.19","id.orig_p":44844,"id.resp_h":"103.195.103.66","id.resp _p":9993,"proto":"udp","duration":455.31844782829285,"orig_bytes":39315 ,"resp_bytes":1616,"conn_state":"SF","local_orig":true,"local_resp":fa lse,"missed_bytes":0,"history":"Dd","orig_pkts":439,"orig_ip_bytes":51 607,"resp_pkts":10,"resp_ip_bytes":1896,"ip_proto":17,"community_id":"1 :vLWUG4iN+Yb2pb6ugiMYYAG3cnA=","orig_mac_oui":"Dell Inc."}", "pipeline"=>"c onn.2026-02-21-10-00-00", "type"=>"redis-input", "@timestamp"=>2026-02-21T10:25: 08.559Z, "data_stream"=>{"type"=>"logs", "namespace"=>"so", "dataset"=>"zeek"}, "ecs"=>{"version"=>"8.0.0"}, "container"=>{"id"=>"conn.2026-02-21-10-00-00.log"} , "log"=>{"offset"=>2405646, "file"=>{"path"=>"/nsm/zeek/logs/current/conn.2026- 02-21-10-00-00.log"}}, "host"=>{"mac"=>["6E-2D-0B-ED-62-EA", "AC-00-F9-04-B0-AE" , "FC-3F-DB-03-37-53"], "hostname"=>"soc", "containerized"=>false, "id"=>"f13ee2 7ddf9641c582917a97a52fee2f", "os"=>{"family"=>"redhat", "type"=>"linux", "versio n"=>"9.7", "platform"=>"ol", "name"=>"Oracle Linux Server", "kernel"=>"5.15.0-31 7.197.5.1.el9uek.x86_64"}, "name"=>"soc", "architecture"=>"x86_64"}, "tags"=>["e lastic-agent", "input-soc", "beats_input_codec_plain_applied"], "agent"=>{"type" =>"filebeat", "name"=>"soc", "ephemeral_id"=>"99fbbab1-fefa-44b9-9465-669ff0f58d bf", "version"=>"8.18.8", "id"=>"6f280558-3833-4c4c-a115-1ffc1f4a3676"}, "event" =>{"category"=>"network", "module"=>"zeek", "dataset"=>"zeek"}, "@Version"=>"1", "input"=>{"type"=>"log"}, "elastic_agent"=>{"snapshot"=>false, "version"=>"8.18 .8", "id"=>"6f280558-3833-4c4c-a115-1ffc1f4a3676"}, "metadata"=>{"pipeline"=>"ze ek.conn.2026-02-21-10-00-00", "beat"=>"filebeat", "type"=>"_doc", "stream_id"=>" logfile-log.logs-zeek-logs", "version"=>"8.18.8", "raw_index"=>"logs-zeek-so", " input"=>{"beats"=>{"host"=>{"ip"=>"172.17.1.1"}}}, "input_id"=>"logfile-logs-zee k-logs"}}], :response=>{"create"=>{"status"=>400, "error"=>{"type"=>"illegal_arg ument_exception", "reason"=>"pipeline with id [zeek.conn.2026-02-21-10-00-00] do es not exist"}}}}
[2026-02-21T10:31:07,650][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :index= >"logs-zeek-so", :routing=>nil, :pipeline=>"zeek.conn.2026-02-21-10-00-00"}, {"m essage"=>"{"ts":1771668617.659922,"uid":"Cp81T51TgVODBHWLof","id.orig_h" :"192.168.1.31","id.orig_p":23118,"id.resp_h":"52.96.157.98","id.resp_p ":443,"proto":"tcp","service":"ssl","duration":455.13501715660095,"o rig_bytes":162306,"resp_bytes":219037,"conn_state":"S1","local_orig":tr ue,"local_resp":false,"missed_bytes":0,"history":"ShADda","orig_pkts": 546,"orig_ip_bytes":184158,"resp_pkts":847,"resp_ip_bytes":252929,"ip_pro to":6,"community_id":"1:85qfSAkDaOKssrQ5aMJEKA0KMIM=","orig_mac_oui":"RE ALTEK SEMICONDUCTOR CORP."}", "pipeline"=>"conn.2026-02-21-10-00-00", "type"=>" redis-input", "@timestamp"=>2026-02-21T10:25:08.559Z, "data_stream"=>{"type"=>"l ogs", "namespace"=>"so", "dataset"=>"zeek"}, "ecs"=>{"version"=>"8.0.0"}, "log"= >{"offset"=>2407563, "file"=>{"path"=>"/nsm/zeek/logs/current/conn.2026-02-21-10 -00-00.log"}}, "container"=>{"id"=>"conn.2026-02-21-10-00-00.log"}, "host"=>{"ma c"=>["6E-2D-0B-ED-62-EA", "AC-00-F9-04-B0-AE", "FC-3F-DB-03-37-53"], "hostname"= >"soc", "containerized"=>false, "id"=>"f13ee27ddf9641c582917a97a52fee2f", "os"=> {"family"=>"redhat", "type"=>"linux", "version"=>"9.7", "platform"=>"ol", "name" =>"Oracle Linux Server", "kernel"=>"5.15.0-317.197.5.1.el9uek.x86_64"}, "name"=> "soc", "architecture"=>"x86_64"}, "tags"=>["elastic-agent", "input-soc", "beats input_codec_plain_applied"], "agent"=>{"type"=>"filebeat", "name"=>"soc", "ephem eral_id"=>"99fbbab1-fefa-44b9-9465-669ff0f58dbf", "version"=>"8.18.8", "id"=>"6f 280558-3833-4c4c-a115-1ffc1f4a3676"}, "event"=>{"category"=>"network", "module"= >"zeek", "dataset"=>"zeek"}, "@Version"=>"1", "input"=>{"type"=>"log"}, "elastic _agent"=>{"snapshot"=>false, "version"=>"8.18.8", "id"=>"6f280558-3833-4c4c-a115 -1ffc1f4a3676"}, "metadata"=>{"pipeline"=>"zeek.conn.2026-02-21-10-00-00", "beat "=>"filebeat", "type"=>"_doc", "stream_id"=>"logfile-log.logs-zeek-logs", "versi on"=>"8.18.8", "raw_index"=>"logs-zeek-so", "input"=>{"beats"=>{"host"=>{"ip"=>" 172.17.1.1"}}}, "input_id"=>"logfile-logs-zeek-logs"}}], :response=>{"create"=>{ "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"pipeli ne with id [zeek.conn.2026-02-21-10-00-00] does not exist"}}}}
[2026-02-21T10:31:07,651][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index= >"logs-zeek-so", :routing=>nil, :pipeline=>"zeek.conn.2026-02-21-10-00-00"}, {"m essage"=>"{"ts":1771663262.295111,"uid":"Cg71Rs2wCwDn46Sz5","id.orig_h": "192.168.1.31","id.orig_p":6527,"id.resp_h":"57.144.204.141","id.resp_p ":443,"proto":"tcp","service":"ssl","duration":5824.030542135239,"or ig_bytes":18615,"resp_bytes":66059,"conn_state":"S1","local_orig":true, "local_resp":false,"missed_bytes":0,"history":"ShADadTT","orig_pkts":6 70,"orig_ip_bytes":45463,"resp_pkts":478,"resp_ip_bytes":85191,"ip_proto\ ":6,"community_id":"1:zeTNztQUmp8LEt/FP75THVCr70c=","orig_mac_oui":"REALT EK SEMICONDUCTOR CORP."}", "pipeline"=>"conn.2026-02-21-10-00-00", "type"=>"red is-input", "@timestamp"=>2026-02-21T10:25:08.559Z, "data_stream"=>{"type"=>"logs ", "namespace"=>"so", "dataset"=>"zeek"}, "ecs"=>{"version"=>"8.0.0"}, "log"=>{" offset"=>2409610, "file"=>{"path"=>"/nsm/zeek/logs/current/conn.2026-02-21-10-00 -00.log"}}, "container"=>{"id"=>"conn.2026-02-21-10-00-00.log"}, "host"=>{"mac"= >["6E-2D-0B-ED-62-EA", "AC-00-F9-04-B0-AE", "FC-3F-DB-03-37-53"], "hostname"=>"s oc", "containerized"=>false, "id"=>"f13ee27ddf9641c582917a97a52fee2f", "os"=>{"f amily"=>"redhat", "type"=>"linux", "version"=>"9.7", "platform"=>"ol", "name"=>" Oracle Linux Server", "kernel"=>"5.15.0-317.197.5.1.el9uek.x86_64"}, "name"=>"so c", "architecture"=>"x86_64"}, "tags"=>["elastic-agent", "input-soc", "beats_inp ut_codec_plain_applied"], "agent"=>{"type"=>"filebeat", "name"=>"soc", "ephemera l_id"=>"99fbbab1-fefa-44b9-9465-669ff0f58dbf", "version"=>"8.18.8", "id"=>"6f280 558-3833-4c4c-a115-1ffc1f4a3676"}, "event"=>{"category"=>"network", "module"=>"z eek", "dataset"=>"zeek"}, "@Version"=>"1", "input"=>{"type"=>"log"}, "elastic_ag ent"=>{"snapshot"=>false, "version"=>"8.18.8", "id"=>"6f280558-3833-4c4c-a115-1f fc1f4a3676"}, "metadata"=>{"pipeline"=>"zeek.conn.2026-02-21-10-00-00", "beat"=> "filebeat", "type"=>"_doc", "stream_id"=>"logfile-log.logs-zeek-logs", "version" =>"8.18.8", "raw_index"=>"logs-zeek-so", "input"=>{"beats"=>{"host"=>{"ip"=>"172 .17.1.1"}}}, "input_id"=>"logfile-logs-zeek-logs"}}], :response=>{"create"=>{"st atus"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"pipeline with id [zeek.conn.2026-02-21-10-00-00] does not exist"}}}}
[2026-02-21T10:31:07,651][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :index= >"logs-zeek-so", :routing=>nil, :pipeline=>"zeek.conn.2026-02-21-10-00-00"}, {"m essage"=>"{"ts":1771663259.071654,"uid":"CPht8Ah8fjTRd8du3","id.orig_h": "192.168.1.31","id.orig_p":55299,"id.resp_h":"57.144.204.141","id.resp p":443,"proto":"tcp","service":"ssl","duration":5822.255836963654,"o rig_bytes":15951,"resp_bytes":16593,"conn_state":"S1","local_orig":true ,"local_resp":false,"missed_bytes":0,"history":"ShADad","orig_pkts":79 0,"orig_ip_bytes":47563,"resp_pkts":415,"resp_ip_bytes":33205,"ip_proto" :6,"community_id":"1:eQrWx3PB2qFxNxm6FtYrPOrAQAc=","orig_mac_oui":"REALTE K SEMICONDUCTOR CORP."}", "pipeline"=>"conn.2026-02-21-10-00-00", "type"=>"redi s-input", "@timestamp"=>2026-02-21T10:25:08.560Z, "data_stream"=>{"type"=>"logs" , "namespace"=>"so", "dataset"=>"zeek"}, "ecs"=>{"version"=>"8.0.0"}, "log"=>{"f ile"=>{"path"=>"/nsm/zeek/logs/current/conn.2026-02-21-10-00-00.log"}, "offset"= >2411623}, "container"=>{"id"=>"conn.2026-02-21-10-00-00.log"}, "host"=>{"mac"=> ["6E-2D-0B-ED-62-EA", "AC-00-F9-04-B0-AE", "FC-3F-DB-03-37-53"], "hostname"=>"so c", "containerized"=>false, "id"=>"f13ee27ddf9641c582917a97a52fee2f", "os"=>{"fa mily"=>"redhat", "type"=>"linux", "version"=>"9.7", "platform"=>"ol", "name"=>"O racle Linux Server", "kernel"=>"5.15.0-317.197.5.1.el9uek.x86_64"}, "name"=>"soc ", "architecture"=>"x86_64"}, "tags"=>["elastic-agent", "input-soc", "beats_inpu t_codec_plain_applied"], "agent"=>{"type"=>"filebeat", "name"=>"soc", "ephemeral _id"=>"99fbbab1-fefa-44b9-9465-669ff0f58dbf", "version"=>"8.18.8", "id"=>"6f2805 58-3833-4c4c-a115-1ffc1f4a3676"}, "event"=>{"category"=>"network", "module"=>"ze ek", "dataset"=>"zeek"}, "@Version"=>"1", "input"=>{"type"=>"log"}, "elastic_age nt"=>{"snapshot"=>false, "version"=>"8.18.8", "id"=>"6f280558-3833-4c4c-a115-1ff c1f4a3676"}, "metadata"=>{"pipeline"=>"zeek.conn.2026-02-21-10-00-00", "beat"=>" filebeat", "type"=>"_doc", "stream_id"=>"logfile-log.logs-zeek-logs", "version"= >"8.18.8", "raw_index"=>"logs-zeek-so", "input"=>{"beats"=>{"host"=>{"ip"=>"172. 17.1.1"}}}, "input_id"=>"logfile-logs-zeek-logs"}}], :response=>{"create"=>{"sta tus"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"pipeline w ith id [zeek.conn.2026-02-21-10-00-00] does not exist"}}}}
[2026-02-21T10:31:07,651][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index= >"logs-zeek-so", :routing=>nil, :pipeline=>"zeek.conn.2026-02-21-10-00-00"}, {"m essage"=>"{"ts":1771610407.762786,"uid":"CjAU1s3qbq4xGjWYa","id.orig_h": "192.168.1.44","id.orig_p":52389,"id.resp_h":"239.255.255.250","id.resp _p":1900,"proto":"udp","duration":58647.771344184875,"orig_bytes":28369 62,"resp_bytes":0,"conn_state":"S0","local_orig":true,"local_resp":tru e,"missed_bytes":0,"history":"D","orig_pkts":9528,"orig_ip_bytes":3103 746,"resp_pkts":0,"resp_ip_bytes":0,"ip_proto":17,"community_id":"1:S+1 CYIjYlWL5fz4UtCujjwCpFyw=","orig_mac_oui":"Iomega Corporation"}", "pipeline "=>"conn.2026-02-21-10-00-00", "type"=>"redis-input", "@timestamp"=>2026-02-21T1 0:25:08.559Z, "data_stream"=>{"type"=>"logs", "namespace"=>"so", "dataset"=>"zee k"}, "ecs"=>{"version"=>"8.0.0"}, "log"=>{"file"=>{"path"=>"/nsm/zeek/logs/curre nt/conn.2026-02-21-10-00-00.log"}, "offset"=>2405167}, "container"=>{"id"=>"conn .2026-02-21-10-00-00.log"}, "host"=>{"mac"=>["6E-2D-0B-ED-62-EA", "AC-00-F9-04-B 0-AE", "FC-3F-DB-03-37-53"], "hostname"=>"soc", "containerized"=>false, "id"=>"f 13ee27ddf9641c582917a97a52fee2f", "os"=>{"family"=>"redhat", "type"=>"linux", "v ersion"=>"9.7", "platform"=>"ol", "name"=>"Oracle Linux Server", "kernel"=>"5.15 .0-317.197.5.1.el9uek.x86_64"}, "name"=>"soc", "architecture"=>"x86_64"}, "tags" =>["elastic-agent", "input-soc", "beats_input_codec_plain_applied"], "agent"=>{" type"=>"filebeat", "name"=>"soc", "ephemeral_id"=>"99fbbab1-fefa-44b9-9465-669ff 0f58dbf", "version"=>"8.18.8", "id"=>"6f280558-3833-4c4c-a115-1ffc1f4a3676"}, "e vent"=>{"category"=>"network", "module"=>"zeek", "dataset"=>"zeek"}, "@Version"= >"1", "input"=>{"type"=>"log"}, "elastic_agent"=>{"snapshot"=>false, "version"=> "8.18.8", "id"=>"6f280558-3833-4c4c-a115-1ffc1f4a3676"}, "metadata"=>{"pipeline" =>"zeek.conn.2026-02-21-10-00-00", "beat"=>"filebeat", "type"=>"_doc", "stream_i d"=>"logfile-log.logs-zeek-logs", "version"=>"8.18.8", "raw_index"=>"logs-zeek-s o", "input"=>{"beats"=>{"host"=>{"ip"=>"172.17.1.1"}}}, "input_id"=>"logfile-log s-zeek-logs"}}], :response=>{"create"=>{"status"=>400, "error"=>{"type"=>"illega l_argument_exception", "reason"=>"pipeline with id [zeek.conn.2026-02-21-10-00-0 0] does not exist"}}}}
[2026-02-21T10:31:07,652][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index= >"logs-zeek-so", :routing=>nil, :pipeline=>"zeek.conn.2026-02-21-10-00-00"}, {"m essage"=>"{"ts":1771663130.08917,"uid":"CJTScxZk3QGybiyp4","id.orig_h":\ "2600:1700:b0d0:769f:f2ad:4eff:fe3d:430","id.orig_p":135,"id.resp_h":"2600 :1700:b0d0:769f:c9fc:caed:ee32:895d","id.resp_p":136,"proto":"icmp","dur ation":5940.22682595253,"orig_bytes":4728,"resp_bytes":4728,"conn_state": "OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"orig_pkts ":197,"orig_ip_bytes":14184,"resp_pkts":197,"resp_ip_bytes":14184,"ip_pr oto":58,"community_id":"1:M72T9wKpxXiHBH7541PoIQu94Dc=","orig_mac_oui":" Globalscale Technologies, Inc."}", "pipeline"=>"conn.2026-02-21-10-00-00", "typ e"=>"redis-input", "@timestamp"=>2026-02-21T10:25:08.559Z, "data_stream"=>{"type "=>"logs", "namespace"=>"so", "dataset"=>"zeek"}, "ecs"=>{"version"=>"8.0.0"}, " container"=>{"id"=>"conn.2026-02-21-10-00-00.log"}, "log"=>{"offset"=>2407035, " file"=>{"path"=>"/nsm/zeek/logs/current/conn.2026-02-21-10-00-00.log"}}, "host"= >{"mac"=>["6E-2D-0B-ED-62-EA", "AC-00-F9-04-B0-AE", "FC-3F-DB-03-37-53"], "hostn ame"=>"soc", "containerized"=>false, "id"=>"f13ee27ddf9641c582917a97a52fee2f", " os"=>{"family"=>"redhat", "type"=>"linux", "version"=>"9.7", "platform"=>"ol", " name"=>"Oracle Linux Server", "kernel"=>"5.15.0-317.197.5.1.el9uek.x86_64"}, "na me"=>"soc", "architecture"=>"x86_64"}, "tags"=>["elastic-agent", "input-soc", "b eats_input_codec_plain_applied"], "agent"=>{"type"=>"filebeat", "name"=>"soc", " ephemeral_id"=>"99fbbab1-fefa-44b9-9465-669ff0f58dbf", "version"=>"8.18.8", "id" =>"6f280558-3833-4c4c-a115-1ffc1f4a3676"}, "event"=>{"category"=>"network", "mod ule"=>"zeek", "dataset"=>"zeek"}, "@Version"=>"1", "input"=>{"type"=>"log"}, "el astic_agent"=>{"snapshot"=>false, "version"=>"8.18.8", "id"=>"6f280558-3833-4c4c -a115-1ffc1f4a3676"}, "metadata"=>{"pipeline"=>"zeek.conn.2026-02-21-10-00-00", "beat"=>"filebeat", "type"=>"_doc", "stream_id"=>"logfile-log.logs-zeek-logs", " version"=>"8.18.8", "raw_index"=>"logs-zeek-so", "input"=>{"beats"=>{"host"=>{"i p"=>"172.17.1.1"}}}, "input_id"=>"logfile-logs-zeek-logs"}}], :response=>{"creat e"=>{"status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"p ipeline with id [zeek.conn.2026-02-21-10-00-00] does not exist"}}}}
[2026-02-21T10:31:07,652][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :index= >"logs-zeek-so", :routing=>nil, :pipeline=>"zeek.conn.2026-02-21-10-00-00"}, {"m essage"=>"{"ts":1771668619.224871,"uid":"CDvd0FFUU4tHojwRe","id.orig_h": "192.168.1.31","id.orig_p":23124,"id.resp_h":"52.96.157.98","id.resp_p\ ":443,"proto":"tcp","service":"ssl","duration":453.25233817100525,"or ig_bytes":274241,"resp_bytes":222317,"conn_state":"S1","local_orig":tru e,"local_resp":false,"missed_bytes":0,"history":"ShADda","orig_pkts":4 25,"orig_ip_bytes":291253,"resp_pkts":466,"resp_ip_bytes":240969,"ip_prot o":6,"community_id":"1:tE91Sxc9zDggptATIXEnElMdZbM=","orig_mac_oui":"REA LTEK SEMICONDUCTOR CORP."}", "pipeline"=>"conn.2026-02-21-10-00-00", "type"=>"r edis-input", "@timestamp"=>2026-02-21T10:25:08.559Z, "data_stream"=>{"type"=>"lo gs", "namespace"=>"so", "dataset"=>"zeek"}, "ecs"=>{"version"=>"8.0.0"}, "contai ner"=>{"id"=>"conn.2026-02-21-10-00-00.log"}, "log"=>{"offset"=>2409096, "file"= >{"path"=>"/nsm/zeek/logs/current/conn.2026-02-21-10-00-00.log"}}, "host"=>{"mac "=>["6E-2D-0B-ED-62-EA", "AC-00-F9-04-B0-AE", "FC-3F-DB-03-37-53"], "hostname"=> "soc", "containerized"=>false, "id"=>"f13ee27ddf9641c582917a97a52fee2f", "os"=>{ "family"=>"redhat", "type"=>"linux", "version"=>"9.7", "platform"=>"ol", "name"= >"Oracle Linux Server", "kernel"=>"5.15.0-317.197.5.1.el9uek.x86_64"}, "name"=>" soc", "architecture"=>"x86_64"}, "tags"=>["elastic-agent", "input-soc", "beats_i nput_codec_plain_applied"], "agent"=>{"type"=>"filebeat", "name"=>"soc", "epheme ral_id"=>"99fbbab1-fefa-44b9-9465-669ff0f58dbf", "version"=>"8.18.8", "id"=>"6f2 80558-3833-4c4c-a115-1ffc1f4a3676"}, "event"=>{"category"=>"network", "module"=> "zeek", "dataset"=>"zeek"}, "@Version"=>"1", "input"=>{"type"=>"log"}, "elastic agent"=>{"snapshot"=>false, "version"=>"8.18.8", "id"=>"6f280558-3833-4c4c-a115- 1ffc1f4a3676"}, "metadata"=>{"pipeline"=>"zeek.conn.2026-02-21-10-00-00", "beat" =>"filebeat", "type"=>"_doc", "stream_id"=>"logfile-log.logs-zeek-logs", "versio n"=>"8.18.8", "raw_index"=>"logs-zeek-so", "input"=>{"beats"=>{"host"=>{"ip"=>"1 72.17.1.1"}}}, "input_id"=>"logfile-logs-zeek-logs"}}], :response=>{"create"=>{" status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"pipelin e with id [zeek.conn.2026-02-21-10-00-00] does not exist"}}}}
[2026-02-21T10:31:07,652][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index= >"logs-zeek-so", :routing=>nil, :pipeline=>"zeek.conn.2026-02-21-10-00-00"}, {"m essage"=>"{"ts":1771668653.247435,"uid":"CjV6rm3LTStb8owZni","id.orig_h" :"192.168.1.31","id.orig_p":23236,"id.resp_h":"52.96.223.2","id.resp_p\ ":443,"proto":"tcp","service":"ssl","duration":406.3179588317871,"ori g_bytes":11517,"resp_bytes":34128,"conn_state":"S1","local_orig":true,\ "local_resp":false,"missed_bytes":0,"history":"ShADda","orig_pkts":48,\ "orig_ip_bytes":13449,"resp_pkts":82,"resp_ip_bytes":37420,"ip_proto":6,\ "community_id":"1:i66ZC/WqV+vjo4P1DwO75LRpvN8=","orig_mac_oui":"REALTEK SE MICONDUCTOR CORP."}", "pipeline"=>"conn.2026-02-21-10-00-00", "type"=>"redis-in put", "@timestamp"=>2026-02-21T10:25:08.560Z, "data_stream"=>{"type"=>"logs", "n amespace"=>"so", "dataset"=>"zeek"}, "ecs"=>{"version"=>"8.0.0"}, "log"=>{"offse t"=>2411116, "file"=>{"path"=>"/nsm/zeek/logs/current/conn.2026-02-21-10-00-00.l og"}}, "container"=>{"id"=>"conn.2026-02-21-10-00-00.log"}, "host"=>{"mac"=>["6E -2D-0B-ED-62-EA", "AC-00-F9-04-B0-AE", "FC-3F-DB-03-37-53"], "hostname"=>"soc", "containerized"=>false, "id"=>"f13ee27ddf9641c582917a97a52fee2f", "os"=>{"family "=>"redhat", "type"=>"linux", "version"=>"9.7", "platform"=>"ol", "name"=>"Oracl e Linux Server", "kernel"=>"5.15.0-317.197.5.1.el9uek.x86_64"}, "name"=>"soc", " architecture"=>"x86_64"}, "tags"=>["elastic-agent", "input-soc", "beats_input_co dec_plain_applied"], "agent"=>{"type"=>"filebeat", "name"=>"soc", "ephemeral_id" =>"99fbbab1-fefa-44b9-9465-669ff0f58dbf", "version"=>"8.18.8", "id"=>"6f280558-3 833-4c4c-a115-1ffc1f4a3676"}, "event"=>{"category"=>"network", "module"=>"zeek", "dataset"=>"zeek"}, "@Version"=>"1", "input"=>{"type"=>"log"}, "elastic_agent"= >{"snapshot"=>false, "version"=>"8.18.8", "id"=>"6f280558-3833-4c4c-a115-1ffc1f4 a3676"}, "metadata"=>{"pipeline"=>"zeek.conn.2026-02-21-10-00-00", "beat"=>"file beat", "type"=>"_doc", "stream_id"=>"logfile-log.logs-zeek-logs", "version"=>"8. 18.8", "raw_index"=>"logs-zeek-so", "input"=>{"beats"=>{"host"=>{"ip"=>"172.17.1 .1"}}}, "input_id"=>"logfile-logs-zeek-logs"}}], :response=>{"create"=>{"status" =>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"pipeline with id [zeek.conn.2026-02-21-10-00-00] does not exist"}}}}
create"=>{"status"=>400, "error"=>{"type"=>"illegal_argument_exception", "re ason"=>"pipeline with id [zeek.conn.2026-02-21-10-00-00] does not exist"}}}}
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions