Replies: 2 comments 2 replies
-
|
Same issue here, just upgraded to 2.3.70 and can't request PCAP's in distributed mode. Looks like the difference may be the URL: From Kibana, requesting the _id of an item: From Hunt, requesting a PCAP: Hunt is missing the /securityonion/ path in the joblookup URL. - and the timestamp doesn't look right there either. |
Beta Was this translation helpful? Give feedback.
-
I get the same error as you do. But if most/all fields are populated, i am able to investigate it via pcap. The picture above is what usually gives me the error "Elasticsearch document was not found" |
Beta Was this translation helpful? Give feedback.
-
|
@thegreekman If the log does not have the IP address and port fields, then there is no way find the pcap. |
Beta Was this translation helpful? Give feedback.
-
|
At this point it's not clear if these two issues are related. I've checked my 2.3.70 cluster, and checked with others but have not encountered this issue. @JamesRV12 Please provide relevant information related to the alert so that we can assist. For example, a screenshot showing the zeek or network community ID fields, and then any related events linked to that ID that has zeek ID, UID, or FID fields. If an alert cannot be traced back to some Zeek metadata then a pivot will not be able to pull a PCAP. Also, include the portion of the SOC log ( @B3DTech Both URLs you provided are valid and supported. The reason a URL would have |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
When requesting a PCAP action on an alert gives the error "Elasticsearch document was not found", on examining the logs this appears to be due to the error "Zeek File record is missing a UID".
I am using Security onion 2.3.70 in standalone mode as installed from the SO iso, all so-services are reporting running ok.
This is stopping all PCAP actions, Does anyone know of a solution to this.
Beta Was this translation helpful? Give feedback.
All reactions