Zeek

Scanner supports Zeek logs, which contain information related to network security monitoring. In order for Scanner to receive Zeek log events, you need to configure a worfklow to push these logs to an S3 bucket that Scanner is linked to.

Step 1: Set up logs to flow from Zeek to Fluentd to S3

You can follow the Zeek documentation to stream JSON log events to Fluentd. See the Zeek documentation: JSON Streaming Logs.

Note that the JSON Streaming Logs Zeek package helpfully adds a new field _path to each log event that contains the type of the log event, for example conn, dns, http, etc. See Zeek documentation on log types here: Zeek Logs.

You can follow the Fluentd documentation to configure it to receive Zeek JSON logs as input and write output logs to your S3 bucket. Make sure to configure the output format to be JSON. See the Fluentd documentation: Fluentd s3 output module.

Step 2: Link the S3 bucket to Scanner

If you haven't done so already, link the S3 bucket containing your Zeek logs to Scanner using the Linking AWS Accounts guide.

Step 3: Set up an S3 Import Rule in Scanner

  1. Within Scanner, navigate to Settings > S3 Import Rules.

  2. Click Create Rule.

  3. For Rule name, type a name like my_team_name_zeek_logs.

  4. For Destination Index, choose the index where you want these logs to be searchable in Scanner.

  5. For Status, set to Active if you want to start indexing the data immediately.

  6. For Source Type, we recommend zeek, but you are free to choose any name. However, out-of-the-box detection rules will expect zeek.

  7. For AWS Account, choose the account that contains the S3 bucket containing Zeek logs.

  8. For S3 Bucket, choose the S3 bucket containing Zeek logs.

  9. For S3 Key Prefix, type the prefix (i.e. directory path) of the S3 objects that Fluentd is writing.

  10. For File type, choose JsonLines with Gzip compression.

  11. For Timestamp extractors, under Column name, type ts. This is the field in each log event that contains the timestamp information.

  12. Click Preview rule to try it out. Check that the S3 keys you expect are appearing, and check that the log events inside are being parsed properly with the timestamp detected properly.

  13. When you're ready, click Create.

PreviousWindows SysmonNextLinking AWS Accounts

Last updated

Was this helpful?