[Zeek] Using the Corelight Splunk App with Zeek?

William Arbaugh waa at cs.umd.edu
Tue Jan 22 08:49:53 PST 2019 

Eric,

Thanks for the blog! It definitely helped me. I'm a novice with Splunk.

My issue was mostly on the splunk end, and a few things with Zeek. I
changed the following from your blog on my Zeek instance:

1. I changed the index to main from corelight. I could have created the
corelight index I suppose and it still would have worked.
2. I used the JSON streaming package from Seth which required changing the
file names to be forwarded. That change cleaned up the JSON that I was
seeing on Splunk.

On the splunk instance, I just issued 'splunk enable listen 9997' on the
command line. Previously, I had set-up a more complicated receiver using
the GUI which I deleted which also contributed (likely) to cleaning up the
JSON.

All is well now - the overview page doesn't populate since I can't figure
out which log file has those metrics to forward. The remaining tabs are
working like a charm now.

Thanks for the blog!

Best, Bill

On Tue, Jan 22, 2019 at 11:27 AM Eric Ooi <ericooi at gmail.com> wrote:

> Hey Bill,
>
> Ha, that's my blog!
>
> Can you qualify what you mean by "not going into the corelight index and
> looked malformed"?  The instructions I outlined are what I use in my own
> setup and I haven't noticed this same behavior.  Sorry to hear it's not
> working for your setup.
>
> A couple things to check --
>
> * Is Zeek successfully generating JSON logs into the "current" folder?
> * Did you update the inputs.conf file on the forwarder that's installed on
> the sensor itself?
>
> Thanks,
> Eric
>
> On Mon, Jan 21, 2019 at 3:58 PM William Arbaugh <waa at cs.umd.edu> wrote:
>
>> Can anyone point me to how to set-up the corelight Splunk app with a zeek
>> sensor?
>>
>> I initially followed these instructions:
>> https://www.ericooi.com/zeekurity-zen-part-ii-how-to-send-zeek-bro-logs-to-splunk/
>> the JSON coming into Splunk wasn't going into the corelight index though
>> and looked malformed.
>>
>> I then found this message from Seth:
>> http://mailman.icsi.berkeley.edu/pipermail/zeek/2018-June/013364.html
>> and I changed to using Json streaming logs, but still no joy.
>>
>> Hints, pointers, etc appreciated.
>>
>> Thanks, Bill
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/956d05a9/attachment.html

More information about the Zeek mailing list