Sending Zeek logs to ELK using Filebeats

local.zeek path
local.zeek
zeekctl check
zeekctl deploy
logs
paths
setup.kibana
output.elasticsearch
enabling zeek module
# Module: zeek
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zeek.html
- module: zeek
  capture_loss:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/capture_loss.log"]
  connection:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/conn.log"]
  dce_rpc:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/dce_rpc.log"]
  dhcp:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/dhcp.log"]
  dnp3:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/dnp3.log"]
  dns:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/dns.log"]
  dpd:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/dpd.log"]
  files:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/files.log"]
  ftp:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/ftp.log"]
  http:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/http.log"]
  intel:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/intel.log"]
  irc:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/irc.log"]
  kerberos:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/kerberos.log"]
  modbus:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/modbus.log"]
  mysql:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/mysql.log"]
  notice:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/notice.log"]
  ntlm:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/ntlm.log"]
  ntp:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/ntp.log"]
  ocsp:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/oscp.log"]
  pe:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/pe.log"]
  radius:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/radius.log"]
  rdp:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/rdp.log"]
  rfb:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/rfb.log"]
  signature:
    enabled: false
    var.paths: ["/usr/local/zeek/logs/current/signature.log"]
  sip:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/sip.log"]
  smb_cmd:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/smb_cmd.log"]
  smb_files:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/smb_files.log"]
  smb_mapping:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/smb_mapping.log"]
  smtp:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/smtp.log"]
  snmp:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/snmp.log"]
  socks:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/socks.log"]
  ssh:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/ssh.log"]
  ssl:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/ssl.log"]
  stats:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/stats.log"]
  syslog:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/syslog.log"]
  traceroute:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/traceroute.log"]
  tunnel:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/tunnel.log"]
  weird:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/weird.log"]
  x509:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/x509.log"]
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
filebeat setup
filebeat -e
Check Data

Comments

Post a Comment

Popular posts from this blog

Zeek Installation in Ubuntu

Image
What is Zeek? An open-source protocol analyzer and network security monitoring tool, Zeek was once known as Bro. It is intended to assist enterprises with real-time network traffic monitoring and analysis, offering information on network activity, potential security risks, and performance concerns. Due to its effectiveness in swiftly capturing and processing network data, Zeek is especially well-liked among cybersecurity experts and network managers. How to install Zeek in Ubuntu? Update and upgrade the Ubuntu using apt. sudo apt-get update sudo apt-get upgrade Download the Zeek source code from the official website ( https://zeek.org/get-zeek/ ). Zeek offical download page Install dependencies using the below command. sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python3-dev swig zlib1g-dev Dependencies installation Once all the dependencies are installed change the directory to the path where the Zeek source code file is downloaded and unzip the file. cd D...
Read more

What is ELK and Installing ELK stack (elasticsearch, logstash, kibana) in Ubuntu

Image
   What is ELK Stack The ELK stack is a collection of three open-source tools — Elasticsearch, Logstash, and Kibana — that work together to collect, store, and analyze data. Here is how each tool works: Elasticsearch : Elasticsearch is a search and analytics engine that provides a distributed, real-time search and analytics platform. It stores data in a distributed index, which allows for fast, real-time search and analysis of data. Elasticsearch is highly scalable, and it can handle a large volume of data with ease. Logstash : Logstash is a data pipeline that collects, filters, and transforms data from different sources before sending it to Elasticsearch. It can collect data from different sources such as log files, databases, and message queues. Logstash can also perform data transformation and filtering to ensure that only the relevant data is sent to Elasticsearch. Kibana : Kibana is a data visualization tool that allows users to create dashboards, visualizations, and repo...
Read more