Kibana missing logs while Attack Map is showing activity (fresh HIVE install, no sensors)

[krakixx]

## Summary

I am experiencing an inconsistency between Kibana and the Attack Map:

• The Attack Map shows live attacks
• Kibana does not show the corresponding logs
• This happens on a fresh installation
• HIVE mode only, no sensors
• The issue persists after full OS + T-Pot reinstall

This looks like a pipeline / indexing / visibility issue rather than an attack ingestion problem.

---

## System Information

### Operating System
Distributor ID: Ubuntu
Description: Ubuntu 24.04.3 LTS
Release: 24.04
Codename: noble

### Kernel
Linux tpot-203 6.8.0-90-generic #91-Ubuntu SMP PREEMPT_DYNAMIC x86_64 GNU/Linux

T-Pot Version

• Installed from master repository
• Installation date: 2026-01-23

---

## Hardware Specification

Optiplex – Ubuntu Server (standalone, minimized installation)

• CPU: 6 cores
• RAM: 24 GB
• Disk: 230 GB (LVM)

### Uptime
up 5 min, load average: 0.82, 0.92, 0.46

---

## Installation Log

Relevant part of ~/install_tpot.log: FAILED! => non-zero return code, rc=127/bin/sh: 1: hwclock: not found

Installation continued after this error.
Full installation log available if needed.

---

## Container Status

Command: dps

All containers are UP.

Notable containers:

• elasticsearch (running)
• kibana (running)
• logstash (running)
• map_data (running)
• map_web (running)

---

## T-Pot Service Status

systemctl status tpot

Service is active (running).

---

## Resource Usage

### docker stats

• Kibana: ~75% memory usage
• Elasticsearch: ~74% memory usage
• Logstash: ~76% memory usage
• No container restarts or crashes observed

### htop

• Load normal
• No memory pressure
• No swap usage

### Disk Space
df -h
/dev/mapper/ubuntu--vg-ubuntu--lv 230G 22G 198G 10%

---

## Observed Behavior

• Attack Map displays attacks correctly
• map_data and map_web containers receive data
• Kibana dashboards show no or incomplete logs
• Elasticsearch is running and consuming memory
• Logstash is running but seems not to feed indices visible in Kibana

---

## Expected Behavior

If attacks are visible on the Attack Map, corresponding events should also be visible in Kibana (Dashboards / Discover).

---

## Suspected Area

Possibly related to:

• logstash → elasticsearch pipeline
• index visibility or permissions
• index pattern mismatch
• data being sent to map pipeline but not to the main ingest pipeline

---

## Additional Notes

• Fresh HIVE-only installation
• No sensors
• No customization
• Issue appears immediately after install

If additional logs are needed (logstash, elasticsearch, pipeline debug), I can provide them.

🙏 Thanks for your work on T-Pot — happy to help test or debug further.

### Command used:

**Additional basic support info as requested:

systemctl status tpot:
(active / running)

dps:
(all containers UP)

df -h:
/dev/mapper/ubuntu--vg-ubuntu--lv 230G 22G 198G 10%

Ports check:
systemctl stop tpot
grc netstat -tulpen
(no conflicts observed)

Manual start:
docker compose -f ~/tpotce/docker-compose.yml up
(no errors during startup)
docker compose down -v

Let me know if you want logstash / elasticsearch pipeline logs.**

[t3chn0m4g3]

If you can see events on the AttackMap then the ingest into ES is working perfectly fine as both - AttackMap and Kibana - use the same underlying pipeline:
Honeypot events => LS => ES Index => DataServer => Redis => MapServer => Webapp
Honeypot events => LS => ES Index => Kibana

The upper right corner from the Kibana screenshot is missing, what are you using for the time filter?
If data or fields were missing from an index - as you assumed - the dashboard widgets would indicate missing fields which does not seem to be the case.

You can check docker logs kibana for specific issues and also check Kibana > Discover for visible events.
It is also possible that visualizations were not correctly imported, then you can follow up here.

[katalyst-que]

I had the same issue, but was able to get it to work -- but it was cloud hosted.

Basically, you want to run a few specific diagnostic commands and also run a discovery script to confirm that everything is where its supposed to be
commands like find / -name "dashboard.json" docker logs tpotinit to check for virtualization configuration files.

There was a change in the structure of things in the new T-Pot version so this is important because some of the other resolutions ive found on the internet were not working. For me specifically, after clearing previous remaining info from the kibana install, I was able to synchronize data into kibana by uploading the raw kibana_export.ndjson through Kibana Stack Management > Saved Objects interface and then restarting :)

[krakixx]

I can see the HIVE logs in the Attack Map without any issue.

When I deploy one or more sensors, the situation is the following:

• The sensor logs appear correctly in Kibana
• The HIVE logs continue to appear in the Attack Map
• But the sensor logs never appear in the Attack Map

So the ingestion is working (Kibana receives everything), but the Attack Map only displays events generated by the HIVE, not by the sensors.

All these issues only occur when T-Pot is installed on a standalone Linux system directly on physical hardware (bare metal).

When I install the HIVE inside a Hyper-V virtual machine, everything works correctly:

• HIVE logs appear in the Attack Map
• Sensor logs appear in both Kibana and the Attack Map
• No inconsistency between pipelines

This strongly suggests the issue is related to hardware specifications or BIOS configuration on the bare-metal machine (network interfaces, RTC/clock, power management, or other low-level settings), rather than a T-Pot configuration problem.

I will run additional tests on my side by trying the solutions you suggested.
Thank you both for @kikko-the-killer and @t3chn0m4g3

[t3chn0m4g3]

The AttackMap will only show events if the event actually has valid geo coordinates for source and destination IP. This requires the host being able to lookup its external IP.

[t3chn0m4g3]

Since this is not a general issue I am moving this to the discussions / Q&A.

[jacobholtz]

Where do I go to see the dashboard after I clicked on Kibana? I don't see anything in either of these two dashboard links:

[t3chn0m4g3]

Mentioned here at the end, you seem to have a bad install.

[jacobholtz]

Mentioned here at the end, you seem to have a bad install.

That worked, thank you!