Zeek
Ship your Zeek logs using Filebeat to your Logit.io Stack
Configure Zeek to ship logs via Filebeat to your Logit.io stacks via Logstash.
Follow this step by step guide to get 'logs' from your system to Logit.io:
Step 2 - Configure Zeek Logging
Depending on the version of Zeek or Bro (Zeek's predecessor) you are running, the configuration filepath may vary. If you need assistance in locating the file, refer to your installation's documentation.
For Bro, the configuration file should be named ascii.bro or if you are using Zeek, the filename will be ascii.zeek.
Once you have located the configuration file, you need to find the line that starts with const use_json. Set the value of this line to true (T) to enable the use of JSON format for output.
const use_json = T
Step 3 - Configure Filebeat.yml
The configuration file below is pre-configured to send data to your Logit.io Stack.
Copy the configuration file below and overwrite the contents of the Filebeat configuration file typically located at /etc/filebeat/filebeat.yml
# ============================== Filebeat inputs ===============================
filebeat.inputs:
- type: filestream
enabled: true
paths:
-
fields:
type:
fields_under_root: true
encoding: utf-8
ignore_older: 12h
# ================================== Outputs ===================================
output.logstash:
hosts: ["your-logstash-host:your-ssl-port"]
loadbalance: true
ssl.enabled: true
If you’re running Filebeat 7.10 or older, change the type as shown below.
- type: log
It’s a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. Yamllint.com is a great choice.
Step 4 - Validate configuration
If you have issues starting in the next step, you can use these commands below to troubleshoot.
Let's check the configuration file is syntactically correct by running directly inside the terminal.
If the file is invalid, will print an error loading config file error message with details on how to correct the problem.
deb/rpm
sudo -e -c /etc//.yml
macOS
cd <EXTRACTED_ARCHIVE>
sudo ./ -e -c .yml
Windows
cd <EXTRACTED_ARCHIVE>
.\.exe -e -c .yml
Step 5 - Start filebeat
Start or restart to apply the configuration changes.
Step 6 - Launch Logit.io to view your logs
Now you should view your data:
If you don't see logs take a look at How to diagnose no data in Stack below for how to diagnose common issues.
Step 7 - How to diagnose no data in Stack
If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.
Step 8 - Zeek Overview
Zeek (formerly known as Bro) is a free, open-source network security monitoring solution that provides comprehensive threat detection and analysis capabilities. To effectively monitor and analyze security events, it's essential to have a reliable and efficient log management solution. Zeek can be configured to generate logs in various formats, including ASCII and JSON, depending on the desired output.
To send Zeek logs to Logstash for processing and analysis, organizations can use Filebeat, an open-source log shipper. Filebeat can be configured to monitor the Zeek logs directory and send any new logs to Logstash, where they can be processed and analyzed for real-time threat detection and response.
The configuration file path and filename for Zeek may vary depending on the specific installation and version. You can refer to your installation's documentation to find the location of the configuration file. In the configuration file, you need to set the "LogAscii::use_json" variable to "T" (true) to generate logs in JSON format.
Once the logs are generated in the desired format, Filebeat can be used to securely transfer them to Logstash for processing and analysis. Logstash can leverage various plugins and modules to filter, transform, and enhance the data, enabling advanced correlation and analysis to identify potential security threats.
Using Zeek with Filebeat and Logstash provides organizations with a powerful network security monitoring solution that can detect and respond to security incidents in real-time, while also maintaining compliance with industry regulations and standards. By leveraging various agents and modules, organizations can collect and analyze data from various sources, gain valuable insights into their network security posture, and make informed decisions to improve their overall security stance.
If you need any further assistance with migrating your log data to ELK we're here to help you get started. Feel free to get in contact with our support team by sending us a message via live chat & we'll be happy to assist.