[Zeek] Using the Corelight Splunk App with Zeek?

Eric Ooi ericooi at gmail.com
Tue Jan 22 09:07:57 PST 2019


Great!  Glad to hear.  I'll make a note to add that the corelight index
should be created first as that is what the app is expecting.

Ah yes, I believe the overview page is only useful if you have an actual
enterprise Corelight sensor.  For us Zeekers, the other tabs will be more
relevant.

Any feedback on what else you'd like to see in the series?  I'm planning on
changing the first article to leverage af_packet instead of pf_ring and go
over some useful queries in the next article.  But I'm curious to hear what
you and others would be interested in seeing.



On Tue, Jan 22, 2019 at 10:50 AM William Arbaugh <waa at cs.umd.edu> wrote:

> Eric,
>
> Thanks for the blog! It definitely helped me. I'm a novice with Splunk.
>
> My issue was mostly on the splunk end, and a few things with Zeek. I
> changed the following from your blog on my Zeek instance:
>
> 1. I changed the index to main from corelight. I could have created the
> corelight index I suppose and it still would have worked.
> 2. I used the JSON streaming package from Seth which required changing the
> file names to be forwarded. That change cleaned up the JSON that I was
> seeing on Splunk.
>
> On the splunk instance, I just issued 'splunk enable listen 9997' on the
> command line. Previously, I had set-up a more complicated receiver using
> the GUI which I deleted which also contributed (likely) to cleaning up the
> JSON.
>
> All is well now - the overview page doesn't populate since I can't figure
> out which log file has those metrics to forward. The remaining tabs are
> working like a charm now.
>
> Thanks for the blog!
>
> Best, Bill
>
> On Tue, Jan 22, 2019 at 11:27 AM Eric Ooi <ericooi at gmail.com> wrote:
>
>> Hey Bill,
>>
>> Ha, that's my blog!
>>
>> Can you qualify what you mean by "not going into the corelight index and
>> looked malformed"?  The instructions I outlined are what I use in my own
>> setup and I haven't noticed this same behavior.  Sorry to hear it's not
>> working for your setup.
>>
>> A couple things to check --
>>
>> * Is Zeek successfully generating JSON logs into the "current" folder?
>> * Did you update the inputs.conf file on the forwarder that's installed
>> on the sensor itself?
>>
>> Thanks,
>> Eric
>>
>> On Mon, Jan 21, 2019 at 3:58 PM William Arbaugh <waa at cs.umd.edu> wrote:
>>
>>> Can anyone point me to how to set-up the corelight Splunk app with a
>>> zeek sensor?
>>>
>>> I initially followed these instructions:
>>> https://www.ericooi.com/zeekurity-zen-part-ii-how-to-send-zeek-bro-logs-to-splunk/
>>> the JSON coming into Splunk wasn't going into the corelight index though
>>> and looked malformed.
>>>
>>> I then found this message from Seth:
>>> http://mailman.icsi.berkeley.edu/pipermail/zeek/2018-June/013364.html
>>> and I changed to using Json streaming logs, but still no joy.
>>>
>>> Hints, pointers, etc appreciated.
>>>
>>> Thanks, Bill
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/4e6aae19/attachment-0001.html 


More information about the Zeek mailing list