I’ve been running into an issue with the http.log not populating fields (method, host, uri, referrer, UA) when spanned. I’m still getting the status_code and status_msg populated in the http.log and I’ve read an ancient article where Seth says this may be because of TCP checksum offloadin. (https://groups.google.com/forum/#!topic/security-onion/12jqLwMShUo).
We currently have rx/tx-checksumming disabled on the ports we’re monitoring but rx/tx-vlan-offload is enabled, could this be the culprit?
The largest entries in the weird.log are windo_recision, data_before_established, and possible_split_routing.
Any help would be much appreciated!