Absolute Newbie - What is my next move

G’Day Everyone,
Greetings.
So I just installed Zeek on Ubuntu Server and it says it is running.
I want to get brim and Elasticsearch to work with it, but cannot figure out my next move.
I need to be receiving\collecting logs from the network.
Please provide guidance.
Thanks.

Hello,

You might like Eric’s post on this:

You probably won’t need Brim in this case. Brim is useful for reading a pcap and creating Zeek and Suricata logs.

It might also be best to mention this in our Slack channel if you want interactive help.

Sincerely,

Richard

Many thanks for your reply. I will look at it and benefit myself.

Thanks. I wiped and reloaded Ubuntu Server on this box and am stepping through Zeekurity Zen - Part I: How to Install Zeek on Ubuntu - ericooi.com
but after step one no longer have a network connection. Tell me should this box have two NICs or will one suffice?
Thanks

Also, why does wget https://download.zeek.org/zeek-5.1.1.tar.gz tell me HTTP request sent, awaiting response… 403 forbidden?

Thanks

Hello,

I’m not sure what the problem is. I just tried that link and it works.

Sincerely,

Richard

Hello,

You need a sensor with two NICs. One NIC is your management interface. It was have an IP address that you can connect to via SSH, for example. The second NIC is your sniffing interface. It will not have an IP address.

Sincerely,

Richard

Thanks very much.
Also for recommending Eric OOi’s step by step.
Warm Regards.

1 Like