[Zeek] Zeek Digest, Vol 165, Issue 6

James Offer joffer at sju.edu
Mon Jan 6 12:07:42 PST 2020


All,

This is helpful. Other than my sysadmins' preference, is there any reason
to choose one or the other, between rsyslog and syslog-ng?

Thanks,
Jim

On Mon, Jan 6, 2020 at 3:00 PM <zeek-request at zeek.org> wrote:

> Send Zeek mailing list submissions to
>         zeek at zeek.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> or, via email, send a message with subject or body 'help' to
>         zeek-request at zeek.org
>
> You can reach the person managing the list at
>         zeek-owner at zeek.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Zeek digest..."
>
>
> Today's Topics:
>
>    1. Re: Zeek with ELK (Darren S.)
>    2. Re: Zeek with ELK (duhang)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 5 Jan 2020 17:40:02 -0700
> From: "Darren S." <phatbuckett at gmail.com>
> Subject: Re: [Zeek] Zeek with ELK
> To: sec-x sec-x <center.mnt at gmail.com>
> Cc: Zeek at zeek.org
> Message-ID:
>         <
> CAKVSOJWSnfCrzPyreChQtVVU5LS1yEKO3ufV3S2ZdyJXwj4-9w at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> I read OP question as "I have Zeek running on FreeBSD, what is a
> sensible option for shipping logs from the sensor to an Elastic
> Stack?" Apologies if it's the wrong read.
>
> In that case I wouldn't want to install either the whole stack nor
> even Logstash on the sensor as it alone tends to consume an excessive
> amount of memory, not what you want on a sensor. Filebeat (a small
> footprint data collector/shipper) is the way to go if you're shipping
> remotely.
>
> If Filebeat isn't an option on the platform, maybe explore Fluent Bit:
>
> https://github.com/fluent/fluent-bit
> https://fluentbit.io/
>
> Fluent Bit can output directly to Elasticsearch:
> https://fluentbit.io/documentation/0.14/output/elasticsearch.html
>
> Even a Fluentd can run with typically lower memory consumption than
> Logstash, so perhaps worth exploring both/either:
>
> https://github.com/fluent/fluentd
> https://www.fluentd.org/
>
> Fluentd can also output to Elasticsearch:
> https://docs.fluentd.org/output/elasticsearch
>
> There are other options for shippers too, such as Syslog-ng:
>
> https://www.syslog-ng.com/community/b/blog/posts/logging-to-elasticsearch-made-simple-with-syslog-ng
>
> - Darren
>
> On Sun, Jan 5, 2020 at 9:11 AM Michael Shirk <shirkdog.bsd at gmail.com>
> wrote:
> >
> > You should be able to fire up Elastic, Logstash and Kibana on FreeBSD,
> using recommend Logstash configs to read in the log files from the file
> system. I can check about the Filebeat port to see if that can be updated
> or fixed.
> >
> > I myself just use the CLI tools but have been working on something "Not
> Java" to ingest log files into other than Splunk.
> >
> >
> > --
> > Michael Shirk
> > Daemon Security, Inc.
> > https://www.daemon-security.com
> >
> > On Sun, Jan 5, 2020, 10:35 sec-x sec-x <center.mnt at gmail.com> wrote:
> >>
> >> Hi,
> >>
> >> I recently used zeek IDS on FreeBSD 12.1 - Default Policy (GetTraffic
> >> from TAP on the network) and i want to send all the logs to ELK in
> >> realtime.
> >>
> >> I saw Filebeat ports on BSD is old and has problems.
> >>
> >> How can i send the logs from the BSD to the Elastic (what is the
> >> correct/best way)?
> >>
> >>
> >> Thanks,
> >>
> >> CM.
> >> _______________________________________________
> >> Zeek mailing list
> >> zeek at zeek.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Darren Spruell
> phatbuckett at gmail.com
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 6 Jan 2020 09:52:52 +0800
> From: duhang <darkheaven1983 at gmail.com>
> Subject: Re: [Zeek] Zeek with ELK
> To: sec-x sec-x <center.mnt at gmail.com>
> Cc: Zeek at zeek.org
> Message-ID:
>         <
> CAG+yijM94rhd5m9PifrbnEAf1yRii-N4aWA8-qfDJzCGnr9u9Q at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> You can try rsyslog imfile module to send logs to logstash. The following
> is my configuration.
>
> $ModLoad imfile
> $InputFileName /usr/local/bro/logs/current/dns.log
> $InputFileTag dns:
> $InputFileStateFile stat-dns
> $InputFileSeverity info
> $InputFileFacility local2
> $InputRunFileMonitor
>
> $SystemLogRateLimitInterval 0
> $SystemLogRateLimitBurst 0
> $MaxMessageSize 64k
>
> sec-x sec-x <center.mnt at gmail.com> ?2020?1?5??? ??11:36???
>
> > Hi,
> >
> > I recently used zeek IDS on FreeBSD 12.1 - Default Policy (GetTraffic
> > from TAP on the network) and i want to send all the logs to ELK in
> > realtime.
> >
> > I saw Filebeat ports on BSD is old and has problems.
> >
> > How can i send the logs from the BSD to the Elastic (what is the
> > correct/best way)?
> >
> >
> > Thanks,
> >
> > CM.
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200106/91801d18/attachment-0001.html
>
> ------------------------------
>
> _______________________________________________
> Zeek mailing list
> Zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
> End of Zeek Digest, Vol 165, Issue 6
> ************************************
>


-- 
Jim Offer
Network Security Analyst
Saint Joseph's University
(610) 660-1573
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200106/e0105b41/attachment.html 


More information about the Zeek mailing list