Hello everyone I hope you can help me.
I have my meerkat server connected to the core of my network, it sends the logs to wazuh through filebeats.
the problem i am having is that the timestamps of the events and alerts on the meerkat server are delayed. This delay increases with the passage of time. for example: I stop the meerkat service, delete the eve.json and fast.log files and restart the service, the timestamps are correctly synchronized, but a few minutes later the delay in timestamps starts again. this delay can increase to even hours.
Thank you very much in advance.
It seems that filebeat can not send logs fast enough as they are produced, to test if this is the case, enable only a single test rule and see if the same issue continues.
If it is indeed the case, there are several possible options to solve it:
- reduce the number of alerts produced by Suricata
- tune filebeat to send data faster
- tune wazuh to be abe to ingest more data.
the delay in the timestamps occurs in the events created by suricata, and consequently not in the elastic server. I have noticed that the delay does not occur during nights and weekends, when there is little traffic. The funny thing is that the meerkat server does not pass 10% cpu usage
Can you attach a sample event (full json) where you see the described delay in the time?
after several tests, my solution was to disable http from the suricata.yaml file.
I honestly don’t know the reason why by disabling http the timestamps stay in sync correctly. but unfortunately I will lose visibility of security events related to http.