How Do I Change One of the Configuration Files for Docker-Zeek?

December 9, 2020
F
How Do I Change One of the Configuration Files for Docker-Zeek?

The zeekctl.cfg and networks.cfg files are usually stored inside the docker-zeek image and any running container. To edit them, we’ll copy them out to the docker host, make changes there, then restart docker-zeek so it will use those changed configuration files from now on.

No matter which file you wish to edit:

1. Download the new zeek script:

sudo mkdir -p /opt/zeek/bin
sudo wget -O /opt/zeek/bin/zeek https://raw.githubusercontent.com/activecm/docker-zeek/master/zeek
sudo chmod 755 /opt/zeek/bin/zeek
cd /usr/local/bin/
sudo ln -sf /opt/zeek/bin/zeek zeek

 

If you wish to edit zeekctl.cfg (for example, to turn on automatic log pruning (User Guide, section “Deleting Zeek Logs”) ):

2a. Copy out the zeekctl.cfg file to the host and edit it:

sudo mkdir -p /opt/zeek/etc/
sudo docker cp zeek:/usr/local/zeek/etc/zeekctl.cfg /opt/zeek/etc/zeekctl.cfg
sudo nano /opt/zeek/etc/zeekctl.cfg

 

If you wish to edit networks.cfg to change the local network settings:

2b. Copy out the networks.cfg file to the host and edit it:

sudo mkdir -p /opt/zeek/etc/
sudo docker cp zeek:/usr/local/zeek/etc/networks.cfg /opt/zeek/etc/networks.cfg
sudo nano /opt/zeek/etc/networks.cfg

 

If you wish to edit local.zeek (for example, to enable or disable zeek processing modules or change the tcp_inactivity_timeout or Pcap::snaplen):

2c. Copy out the local.zeek file to the host and edit it:

sudo mkdir -p /opt/zeek/share/zeek/site/
sudo docker cp zeek:/usr/local/zeek/share/zeek/site/local.zeek /opt/zeek/share/zeek/site/local.zeek
sudo nano /opt/zeek/share/zeek/site/local.zeek

 

No matter which file you edited:

3. Download newest image (if any) and restart zeek:

zeek update

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=3132

Category: Docker
Tags: