Using the Corelight Splunk App with Zeek?

Zeek
1

Can anyone point me to how to set-up the corelight Splunk app with a zeek sensor?

I initially followed these instructions: https://www.ericooi.com/zeekurity-zen-part-ii-how-to-send-zeek-bro-logs-to-splunk/ the JSON coming into Splunk wasn’t going into the corelight index though and looked malformed.

I then found this message from Seth: http://mailman.icsi.berkeley.edu/pipermail/zeek/2018-June/013364.html and I changed to using Json streaming logs, but still no joy.

Hints, pointers, etc appreciated.

Thanks, Bill

2

Hey Bill,

Ha, that’s my blog!

Can you qualify what you mean by “not going into the corelight index and looked malformed”? The instructions I outlined are what I use in my own setup and I haven’t noticed this same behavior. Sorry to hear it’s not working for your setup.

A couple things to check –

  • Is Zeek successfully generating JSON logs into the “current” folder?
  • Did you update the inputs.conf file on the forwarder that’s installed on the sensor itself?

Thanks,
Eric

3

Eric,

Thanks for the blog! It definitely helped me. I’m a novice with Splunk.

My issue was mostly on the splunk end, and a few things with Zeek. I changed the following from your blog on my Zeek instance:

  1. I changed the index to main from corelight. I could have created the corelight index I suppose and it still would have worked.
  2. I used the JSON streaming package from Seth which required changing the file names to be forwarded. That change cleaned up the JSON that I was seeing on Splunk.

On the splunk instance, I just issued ‘splunk enable listen 9997’ on the command line. Previously, I had set-up a more complicated receiver using the GUI which I deleted which also contributed (likely) to cleaning up the JSON.

All is well now - the overview page doesn’t populate since I can’t figure out which log file has those metrics to forward. The remaining tabs are working like a charm now.

Thanks for the blog!

Best, Bill

4

Great! Glad to hear. I’ll make a note to add that the corelight index should be created first as that is what the app is expecting.

Ah yes, I believe the overview page is only useful if you have an actual enterprise Corelight sensor. For us Zeekers, the other tabs will be more relevant.

Any feedback on what else you’d like to see in the series? I’m planning on changing the first article to leverage af_packet instead of pf_ring and go over some useful queries in the next article. But I’m curious to hear what you and others would be interested in seeing.