Zeek with ELK

sec-x_sec-x · January 5, 2020, 3:32pm

Hi,

I recently used zeek IDS on FreeBSD 12.1 - Default Policy (GetTraffic
from TAP on the network) and i want to send all the logs to ELK in
realtime.

I saw Filebeat ports on BSD is old and has problems.

How can i send the logs from the BSD to the Elastic (what is the
correct/best way)?

Thanks,

CM.

Patrick_Kelley · January 5, 2020, 4:00pm

Logstash is the best option.

http://thegreyblog.blogspot.com/2014/01/installing-logstash-on-freebsd.html?m=1

Patrick Kelley, CISSP, C|EH, ITIL
CTO
patrick.kelley@criticalpathsecurity.com

Michael_Shirk · January 5, 2020, 4:05pm

You should be able to fire up Elastic, Logstash and Kibana on FreeBSD, using recommend Logstash configs to read in the log files from the file system. I can check about the Filebeat port to see if that can be updated or fixed.

I myself just use the CLI tools but have been working on something “Not Java” to ingest log files into other than Splunk.

Darren_S · January 6, 2020, 12:40am

I read OP question as "I have Zeek running on FreeBSD, what is a
sensible option for shipping logs from the sensor to an Elastic
Stack?" Apologies if it's the wrong read.

In that case I wouldn't want to install either the whole stack nor
even Logstash on the sensor as it alone tends to consume an excessive
amount of memory, not what you want on a sensor. Filebeat (a small
footprint data collector/shipper) is the way to go if you're shipping
remotely.

If Filebeat isn't an option on the platform, maybe explore Fluent Bit:

https://github.com/fluent/fluent-bit
https://fluentbit.io/

Fluent Bit can output directly to Elasticsearch:
https://fluentbit.io/documentation/0.14/output/elasticsearch.html

Even a Fluentd can run with typically lower memory consumption than
Logstash, so perhaps worth exploring both/either:

https://github.com/fluent/fluentd
https://www.fluentd.org/

Fluentd can also output to Elasticsearch:
https://docs.fluentd.org/output/elasticsearch

There are other options for shippers too, such as Syslog-ng:
https://www.syslog-ng.com/community/b/blog/posts/logging-to-elasticsearch-made-simple-with-syslog-ng

- Darren

duhang · January 6, 2020, 1:52am

You can try rsyslog imfile module to send logs to logstash. The following is my configuration.

$ModLoad imfile
$InputFileName /usr/local/bro/logs/current/dns.log
$InputFileTag dns:
$InputFileStateFile stat-dns
$InputFileSeverity info
$InputFileFacility local2
$InputRunFileMonitor

$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
$MaxMessageSize 64k

sec-x sec-x <center.mnt@gmail.com> 于2020年1月5日周日下午11:36写道：

Topic		Replies	Views
Absolute Newbie - What is my next move Zeek	7	317	February 11, 2023
filebeat +elk Zeek	19	158	May 6, 2022
Bro Logs Ingestion Zeek	6	358	May 6, 2022
Zeek ELK integration Zeek	1	104	May 6, 2022
ElasticSearch plugin Zeek	18	343	May 6, 2022

Zeek with ELK

Related topics