Is it possible to configure the zeek-agent to listen on udp 53 and log/analyze/categorize dns queries to the host (the example host would be a dns server). Or I guess more generally, can the zeek-agent listen to a network interface and treat it more like a remote sensor for zeek?
zeek-agent doesn’t do this. zeek-agent leverages operating system facilities like mac os’s endpoint security framework and linux’s audit system to provide host process activity. underway is work to collect file writes and network activity (connections, not full DPI), but a zeek remote sensor is not on the zeek-agent roadmap that i’m aware of. the agent is intended to complement zeek’s network vantage point with endpoint specific telemetry, not provide a secondary network collection point.