The Suricata alert did not appear on the dashboard

[alleniverson33]

malcolm 23.08.1 k8s

The data is available in the parsed evejson file of Suricata, but it is not displayed in the dashboard or opensearch. (Filebeat, Logstash components are running normally)

May I ask how to troubleshoot such issues

[mmguero]

So other logs (like Zeek logs) are displaying on the dashboards, but Suricata isn't, is that correct? Can we make sure that your search time frame is covering the entire possible time range? (I wouldn't imagine with running in K8s that the time frame on the captured PCAP and what your browser is set to but it's something to check). So, in other words, setting your search time frame in dashboards as "one year ago" to "1 day from now" or something like that?

Is this from uploaded PCAP data or live-captured network traffic?

Something else we could do is look at the filebeat container logs:

./scripts/logs -s filebeat | grep eve

And see what comes from those messages.

[alleniverson33]

So other logs (like Zeek logs) are displaying on the dashboards, but Suricata isn't, is that correct? Can we make sure that your search time frame is covering the entire possible time range? (I wouldn't imagine with running in K8s that the time frame on the captured PCAP and what your browser is set to but it's something to check). So, in other words, setting your search time frame in dashboards as "one year ago" to "1 day from now" or something like that?

Is this from uploaded PCAP data or live-captured network traffic?

Something else we could do is look at the filebeat container logs:

./scripts/logs -s filebeat | grep eve

And see what comes from those messages.

The alarm data for restarting the logstha component Suricata can be seen on the dashboard

[mmguero]

I don't understand your reply. Is this different than the other issue you logged? I don't even understand your issue here, you have not given any useful details or actionable information.