Sending Zeek logs to ELK using Filebeats

Before sending logs we must modify local.zeek file and add the below line at the end of the file.

@load policy/tuning/json-logs.zeek

Use the find command to find local.zeek file.

find / -name local.zeek

local.zeek path

Now copy the path and edit the file using nano and add the line.

local.zeek

Save and exit from editor, now check the configuration of zeekctl

sudo zeekctl check

zeekctl check

Once the you get zeek scripts are ok, deploy zeekctl

sudo zeekctl deploy

zeekctl deploy

Go to the zeek logs path directory which is /usr/local/zeek/logs/current.
Check if logs are generated properly.

logs

Go to Kibana dashboard head over to integration section and search for zeek, in the integration page on bottom right go to “Also available in Beats”.

You will be redirected to Filebeats Zeek integration page.

Copy the commands from the Step1 and open new terminal window and run the commands. Which will download and extract the filebeats.

Now edit the filebeat.yml file, change the paths to the zeek logs path and in setup.kibana section, uncomment hosts and give the IP of Ubuntu in place of localhost and in the section of output.elasticsearch replace Ubuntu IP in place of localhost for the variable hosts and supply password and uncomment password and username.

paths

setup.kibana

output.elasticsearch

Save and exit, now we must enable the zeek module, copy the command from the Kibana dashboard as per your Operating system.

enabling zeek module

Change the directory to modules.d from filebeat directory. Remove zeek.yml file and create new zeek.yml file, now edit the new zeek.yml file and add the below code.

cd modules.d
rm zeek.yml
nano zeek.yml

zeek.yml:

# Module: zeek
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zeek.html
- module: zeek
  capture_loss:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/capture_loss.log"]
  connection:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/conn.log"]
  dce_rpc:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/dce_rpc.log"]
  dhcp:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/dhcp.log"]
  dnp3:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/dnp3.log"]
  dns:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/dns.log"]
  dpd:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/dpd.log"]
  files:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/files.log"]
  ftp:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/ftp.log"]
  http:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/http.log"]
  intel:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/intel.log"]
  irc:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/irc.log"]
  kerberos:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/kerberos.log"]
  modbus:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/modbus.log"]
  mysql:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/mysql.log"]
  notice:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/notice.log"]
  ntlm:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/ntlm.log"]
  ntp:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/ntp.log"]
  ocsp:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/oscp.log"]
  pe:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/pe.log"]
  radius:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/radius.log"]
  rdp:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/rdp.log"]
  rfb:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/rfb.log"]
  signature:
    enabled: false
    var.paths: ["/usr/local/zeek/logs/current/signature.log"]
  sip:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/sip.log"]
  smb_cmd:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/smb_cmd.log"]
  smb_files:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/smb_files.log"]
  smb_mapping:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/smb_mapping.log"]
  smtp:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/smtp.log"]
  snmp:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/snmp.log"]
  socks:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/socks.log"]
  ssh:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/ssh.log"]
  ssl:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/ssl.log"]
  stats:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/stats.log"]
  syslog:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/syslog.log"]
  traceroute:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/traceroute.log"]
  tunnel:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/tunnel.log"]
  weird:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/weird.log"]
  x509:
    enabled: true
    var.paths: ["/usr/local/zeek/logs/current/x509.log"]
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

Note that change the var.paths if the directory is different. Save and exit.

Once the zeek.yml file configuration is done, copy filebeat setup and run command and run the commands.

filebeat setup

filebeat -e

Once the filebeat connection with elasticsearch is successfully established go back to Kibana click on “Check Data”.

Check Data

Once Data is successfully received click on Zeek Overview.

Zeek Dashboard with data will be successfully loaded.

You can find the step-by-step video:

Also check out my Masters in USA journey from the profile,

Rama Ramana Sharma — Medium

Subscribe to our YouTube channel. https://www.youtube.com/@CyberToolGuardian/featured

Follow us on Instagram.
https://instagram.com/cybertoolguardian