Threat Intelligence Not Working – No zeek.intel Index Created (Arkime Only Ingest) #910
Description
Environment
- Malcolm Version: v25.12.1
- Deployment: Docker (AWS EC2)
- Mode: Offline PCAP processing
- Custom Threat Intel file added: xxx.intel
- Target IP in PCAP: 192.168.2.53
Summary of the Issue - Malcolm processes PCAP correctly and Arkime sessions are indexed. However:
- Threat Intelligence dashboard shows 0 results
- No zeek.intel dataset exists
- No Zeek log indices (logs-, logs-zeek-) are created
- Only arkime_* indices exist in OpenSearch
- It appears that Z
Expected Behavior
After:
1.Loading a valid .intel file
2.Processing a PCAP containing a matching IP
3.Having frameworks/intel/seen/conn-established enabled
I expect: - zeek.intel events to be generated
- A logs-zeek-* (or similar) index to be created
- Threat Intelligence dashboard to show matcheseek logs (including intel.log) are not being ingested into OpenSearch.
Actual Behavior - Arkime sessions are visible in arkime_sessions3-*
- zeek.conn.* fields visible inside Arkime sessions
- No zeek.intel fields anywhere
- cat/indices shows only arkime* indices
Output of: GET cat/indices?v
shows arkime_sessions3-*
arkime_fields*
arkime_stats_*
...
(no logs-* indices)
Key Observation
Zeek appears to process traffic correctly (since zeek.conn fields appear in Arkime), but:
No Zeek logs are being indexed into OpenSearch.
This suggests: - Filebeat not collecting Zeek logs
- Zeek logs not mounted into filebeat container
- Zeek ingestion pipeline disabled
- Deployment running in Arkime-only profile