search

cisagov / Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
https://cisagov.github.io/Malcolm/
Other
1.97k stars 331 forks source link

The Suricata alert did not appear on the dashboard #507

Open alleniverson33 opened 12 hours ago

alleniverson33 commented 12 hours ago

malcolm 23.08.1 k8s

Image

The data is available in the parsed evejson file of Suricata, but it is not displayed in the dashboard or opensearch. (Filebeat, Logstash components are running normally)

May I ask how to troubleshoot such issues

mmguero commented 4 hours ago

So other logs (like Zeek logs) are displaying on the dashboards, but Suricata isn't, is that correct? Can we make sure that your search time frame is covering the entire possible time range? (I wouldn't imagine with running in K8s that the time frame on the captured PCAP and what your browser is set to but it's something to check). So, in other words, setting your search time frame in dashboards as "one year ago" to "1 day from now" or something like that?

Is this from uploaded PCAP data or live-captured network traffic?

Something else we could do is look at the filebeat container logs:

./scripts/logs -s filebeat | grep eve

And see what comes from those messages.