Hello everyone,
I need to send Zeek logs to Cisco SNA.
According to the Cisco manual:
“Format: The Zeek log generator must add the zeek_filename="xxx.log" tag before the JSONL string for the Flow Collector.”
I need help with adding the zeek_filename="xxx.log" tag before each JSONL string in the Zeek log.
This is a very specific question. Are you consuming logs from disk or in some streaming fashion like Kafka, ZeroMQ or a socket?
If you have files on disk, the easiest might be to pipe the logs through some filter prefixing each line before passing it on to the collector. E.g, this would do sed ‘s/^/zeek_filename=“conn.log”/g’ < conn.log
But… I’m not familiar with the software/setup you’re working with. Does that help at all?
i want when generate log, add tag
for example :
zeek_filename=“conn.log” ts=1625426341 uid=xyz123 id.orig_h=192.168.1.1 id.orig_p=12345 id.resp_h=192.168.1.2 id.resp_p=80 …
@alexdinoon - I looked at the Cisco SNA docs (looks pretty cool! I wasn’t aware Cisco had this integration). If you’re working on this in a professional context/capacity, you should familiarize yourself with Zeek’s logging framework and Zeek plugin development and decide whether you’d opt for implementing a UDP based log writer, use logstash or some other log forwarder to munge Zeek logs before sending them to Cisco’s SNA UDP endpoint, or check if the JavaScript below does the job for you. This feels a bit of a design/product decision on your end.
For the sake of testing and prototyping an integration with Cisco SNA, the following JavaScript snippet sends UDP packets with the expected jsonl format to the host/port as configured. Note that if you end up using this, you’re required to keep the license, even if it’s just a few lines of code.
I’ve pushed the code to GitHub for anyone interested in using/contributing: GitHub - awelzel/zeekjs-udp-logging: A proof-of-concept JavaScript based UDP logger to integrate Zeek with Cisco's Secure Network Analytics platform.
[EDIT: Removed the code because I don’t think it was proper. See the repo for the latest version],
For anyone following along, I’ve made the repo a proper zkg package that vendors safe-stable-stringify, so should be able to test with:
$ zkg install https://github.com/awelzel/zeekjs-udp-logging
$ zeek -i <interface> zeekjs-udp-logging
Sends to 127.0.0.1:9514 by default.
EDIT: The code was/is sending non-Syslog right now. If someone has input what the actual syslog format should be, happy to udpate.
EDIT: The code was/is sending non-Syslog right now. If someone has input what the actual syslog format should be, happy to udpate.
After some input and testing efforts from @medtemo between the years, the default format of the zeekjs-udp-logging package should now be compatible with what Cisco SNA expects. If anyone else here could test and confirm, that would be amazing.
Thanks again @medtemo !