Some Zeek logs missing

[Todd998]

Does anyone know why Zeek would stop keeping ssl logs? I'm missing some other logs as well but not all logs. I have DNS, DHCP, Conn and others.

Where do I start looking for the cause of this?

Version 2.3.120
On-Prem
ISO
1 Stand alone server
Cortex and Hive are not running
sudo salt-call state.highstate shows no errors
SOC Grid page shows a fault but no explanation

[dougburks]

If you run tcpdump on your sniffing interface, do you see the ssl traffic coming in?

Do you see any ssl logs in /nsm/zeek/logs/current/ or in the previous daily directories in /nsm/zeek/logs/?

Have you modified your Zeek, Filebeat, or BPF configuration?

[Todd998]

Sorry for the late reply. I thought I posted the results of your questions.

There are no SSL logs in the /nsm/zeek/logs/current/ directory nor in the previous day's directories. I have one SSL log on 5/25/2022. There are none between 4/4 and 5/25. There is a gap from 3/24 to 4/4. Prior to 3/24 they are complete.

I am observing the TLS handshake in tcpdump.

Around that time I was working with RITA to examine the logs. I installed it with the --disable-zeek switch which tells the installer not to install Zeek and no changes are made to zeek, supposedly.

[dougburks]

Seems like you've pinpointed where the changes might have come from. You might want to perform a simple installation of Security Onion in a VM and compare the working system to the non-working system to look for any differences.