[Zeek] syslog

Patrick Kelley patrick.kelley at criticalpathsecurity.com
Wed Jun 24 15:42:32 PDT 2020


Echoing Darren.  I've used Fluentd when backhauling logs back to a
syslog server from ICS Pi sensors.

It's not my "goto", but it's a lightweight alternative that's pretty stable.

On Wed, Jun 24, 2020 at 6:22 PM Darren S. <phatbuckett at gmail.com> wrote:
>
> Apologies as this isn’t the question you asked - but are you able to use a file reader agent that can output to Sysmon? There is a plugin option for Fluentd, and a syslog server like Syslogng can read from file and forward. May be other options as well.
>
> On Wed, Jun 24, 2020 at 4:55 AM Scot Harris <SHARRIS at hollywoodfl.org> wrote:
>>
>>
>>
>> Does zeek have support to send syslog events?
>>
>>
>>
>> Looked in the logger and notice frameworks but did not see anything there.
>>
>>
>>
>> Documentation has a fair amount about ingesting syslog messages but nothing about outputting them.
>>
>>
>>
>> Running zeek 3.1.1 currently.
>>
>>
>>
>> Wanted to be able to send certain events such as SSH password guessing events to a syslog server which can open tickets on such events.
>>
>>
>>
>> Guessing would need to add another type to the logger framework with config items in zeekctl.cfg for the syslog server address.
>>
>> And use logger –n with that option to send the message to the specific host.
>>
>>
>>
>> Ideas?
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
> --
> Darren Spruell
> phatbuckett at gmail.com
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 

Patrick Kelley, CISSP, C|EH, ITIL
CTO
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482



More information about the Zeek mailing list