[Zeek] Using the Corelight Splunk App with Zeek?

Eric Ooi ericooi at gmail.com
Tue Jan 22 08:27:03 PST 2019


Hey Bill,

Ha, that's my blog!

Can you qualify what you mean by "not going into the corelight index and
looked malformed"?  The instructions I outlined are what I use in my own
setup and I haven't noticed this same behavior.  Sorry to hear it's not
working for your setup.

A couple things to check --

* Is Zeek successfully generating JSON logs into the "current" folder?
* Did you update the inputs.conf file on the forwarder that's installed on
the sensor itself?

Thanks,
Eric

On Mon, Jan 21, 2019 at 3:58 PM William Arbaugh <waa at cs.umd.edu> wrote:

> Can anyone point me to how to set-up the corelight Splunk app with a zeek
> sensor?
>
> I initially followed these instructions:
> https://www.ericooi.com/zeekurity-zen-part-ii-how-to-send-zeek-bro-logs-to-splunk/
> the JSON coming into Splunk wasn't going into the corelight index though
> and looked malformed.
>
> I then found this message from Seth:
> http://mailman.icsi.berkeley.edu/pipermail/zeek/2018-June/013364.html and
> I changed to using Json streaming logs, but still no joy.
>
> Hints, pointers, etc appreciated.
>
> Thanks, Bill
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/e67b6a7c/attachment.html 


More information about the Zeek mailing list