Blank HTTP logs

Josh_Guild · March 22, 2017, 6:30pm

Howdy all,

I’ve been running into an issue with the http.log not populating fields (method, host, uri, referrer, UA) when spanned. I’m still getting the status_code and status_msg populated in the http.log and I’ve read an ancient article where Seth says this may be because of TCP checksum offloadin. (https://groups.google.com/forum/#!topic/security-onion/12jqLwMShUo).

We currently have rx/tx-checksumming disabled on the ports we’re monitoring but rx/tx-vlan-offload is enabled, could this be the culprit?

The largest entries in the weird.log are windo_recision, data_before_established, and possible_split_routing.

Any help would be much appreciated!

seth · March 22, 2017, 7:07pm

I suspect that your span port is only capturing one direction of the traffic. All of the fields that you said are missing are from the client

Check your conn log to see if you’re seeing orig_pkts or resp_pkts frequently set to zero.

.Seth

Josh_Guild · March 22, 2017, 7:35pm

Cool. that’s what I was thinking as well since we’re only seeing resp or orig in the history of the conn.log as well. I’m thinking they spanned and have RX on one port with TX on the other. Thanks for the help!

Topic		Replies	Views
http.log missing info Zeek	3	126	May 6, 2022
No http.log and dns.log missing Zeek	4	160	May 6, 2022
weird.log help Zeek	4	139	May 6, 2022
unmatched_HTTP_reply in weird.log Zeek	2	107	May 6, 2022
http response timeout Zeek	3	78	May 6, 2022

Blank HTTP logs

Related topics