Dashboard - Kibana

[shaw2020]

Before you post your issue make sure it has not been answered yet and provide basic support information if you come to the conclusion it is a new issue.

• 🔍 Use the search function first
• 🧐 Check our WIKI
• 📚 Consult the documentation of 💻 Debian, 🐳 Docker, the 🦌 ELK stack and the 🍯 T-Pot Readme.
• ⚠️ Provide basic support information or similiar information with regard to your issue or we can not help you and will close the issue without further notice

⚠️ Basic support information (commands are expected to run as root)

• What version of the OS are you currently using lsb_release -a and uname -a?
• What T-Pot version are you currently using?
• What edition (Standard, Nextgen, etc.) of T-Pot are you running?
• What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
• Did you have any problems during the install? If yes, please attach /install.log /install.err.
• How long has your installation been running?
• Did you install upgrades, packages or use the update script?
• Did you modify any scripts or configs? If yes, please attach the changes.
• Please provide a screenshot of glances and htop.
• How much free disk space is available (df -h)?
• What is the current container status (dps.sh)?
• What is the status of the T-Pot service (systemctl status tpot)?
• What ports are being occupied? Stop T-Pot systemctl stop tpot and run netstat -tulpen
• If a single container shows as DOWN you can run docker logs <container-name> for the latest log entries

[shaw2020]

Good morning, recently I installed the "HIVE" honeypot on my server with Debian 11.8. However, when I access the Kibana dashboard under the Suricata dashboard to view attack actions, I receive the following message in several fields:

suricata event bar: The field "tls.ja3.hash.keyword" associated with this object no longer exists in the data view. Please use another field.

suricata events: The field "tls.ja3.hash.keyword" associated with this object no longer exists in the data view. Please use another field.

All fields display a message like this. I need to know what I can do to resolve this issue.

[t3chn0m4g3]

Are there any Suricata logs, i.e. eve.json, in the /data folder? If not the Suricata dashboard is empty as there are no logs.

[shaw2020]

So the dashboard is only like this because no log has arrived yet?