syslog

Scot · June 24, 2020, 11:53am

Does zeek have support to send syslog events?

Looked in the logger and notice frameworks but did not see anything there.

Documentation has a fair amount about ingesting syslog messages but nothing about outputting them.

Running zeek 3.1.1 currently.

Wanted to be able to send certain events such as SSH password guessing events to a syslog server which can open tickets on such events.

Guessing would need to add another type to the logger framework with config items in zeekctl.cfg for the syslog server address.

And use logger –n with that option to send the message to the specific host.

Ideas?

Darren_S · June 24, 2020, 10:20pm

Apologies as this isn’t the question you asked - but are you able to use a file reader agent that can output to Sysmon? There is a plugin option for Fluentd, and a syslog server like Syslogng can read from file and forward. May be other options as well.

Patrick_Kelley · June 24, 2020, 10:42pm

Echoing Darren. I've used Fluentd when backhauling logs back to a
syslog server from ICS Pi sensors.

It's not my "goto", but it's a lightweight alternative that's pretty stable.

johanna · June 24, 2020, 10:48pm

Hi Scot,

Does zeek have support to send syslog events?

It has basic support to send stuff to syslog - there is a syslog function: base/bif/zeek.bif.zeek — Book of Zeek (v6.1.0)

Note - this is not really nicely tied into anything. However it should in principle work - it is a very thin layer around the libc syslog call.

Johanna

Topic		Replies	Views
best way to apply NLP to syslog entries? Development development	2	90	May 6, 2022
logger in a Zeek's cluster Zeek	2	59	May 6, 2022
Event groups and log streams - looking for feeback Development	0	174	November 28, 2022
syslog events Zeek	3	99	May 6, 2022
Letting system handle log rotation Zeek	3	91	May 6, 2022

syslog

Related Topics