Hi Team,
I have zeek installed on my DNS server and I need to collect only dns.log. I am struggling to find that configuration where I could stop monitoring all other protocols and wanted to monitor only the dns protocol.
Can someone please help?
TIA
Blason R
Is this the file which should be modified?
/opt/zeek/share/zeek/base/init-default.zeek
Yes.
You should be able to comment out all protocol analyzers with exception to dns.
Patrick Kelley, CISSP, C|EH, ITIL
CTO
patrick.kelley@criticalpathsecurity.com
Yes - I did that however service was refused to start. Any clue is much appreciated.
Feb 12 09:43:59 ubuntu-test systemd[1]: zeek.service: Scheduled restart job, restart counter is at 22.
– Subject: Automatic restarting of a unit has been scheduled
– Defined-By: systemd
– Support: http://www.ubuntu.com/support
I’ll work out the proper configuration in my lab environment and get back to you.
Patrick Kelley, CISSP, C|EH, ITIL
CTO
patrick.kelley@criticalpathsecurity.com
Blason,
The attached /usr/local/zeek/share/zeek/base/init-default.zeek worked fine for me.
I used a base zeek version 5.0.0-dev.114 install for testing.
Let me know if this doesn’t work for you.
zeek-dns-only.txt (2.35 KB)