How Do I Change One of the Configuration Files for Docker-Zeek?

December 9, 2020 Comments Off on How Do I Change One of the Configuration Files for Docker-Zeek?

The zeekctl.cfg and networks.cfg files are usually stored inside the docker-zeek image and any running container. To edit them, we’ll copy them out to the docker host, make changes there, then restart docker-zeek so it will use those changed configuration files from now on.

No matter which file you wish to edit:

1. Download the new zeek script:

sudo mkdir -p /opt/zeek/bin
sudo wget -O /opt/zeek/bin/zeek https://raw.githubusercontent.com/activecm/docker-zeek/master/zeek
sudo chmod 755 /opt/zeek/bin/zeek
cd /usr/local/bin/
sudo ln -sf /opt/zeek/bin/zeek zeek

 

If you wish to edit zeekctl.cfg (for example, to turn on automatic log pruning (User Guide, section “Deleting Zeek Logs”) ):

2a. Copy out the zeekctl.cfg file to the host and edit it:

sudo mkdir -p /opt/zeek/etc/
sudo docker cp zeek:/usr/local/zeek/etc/zeekctl.cfg /opt/zeek/etc/zeekctl.cfg
sudo nano /opt/zeek/etc/zeekctl.cfg

 

If you wish to edit networks.cfg to change the local network settings:

2b. Copy out the networks.cfg file to the host and edit it:

sudo mkdir -p /opt/zeek/etc/
sudo docker cp zeek:/usr/local/zeek/etc/networks.cfg /opt/zeek/etc/networks.cfg
sudo nano /opt/zeek/etc/networks.cfg

 

If you wish to edit local.zeek (for example, to enable or disable zeek processing modules or change the tcp_inactivity_timeout or Pcap::snaplen):

2c. Copy out the local.zeek file to the host and edit it:

sudo mkdir -p /opt/zeek/share/zeek/site/
sudo docker cp zeek:/usr/local/zeek/share/zeek/site/local.zeek /opt/zeek/share/zeek/site/local.zeek
sudo nano /opt/zeek/share/zeek/site/local.zeek

 

No matter which file you edited:

3. Download newest image (if any) and restart zeek:

zeek update

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=3132

Read More

How Can I View Logs from Specific Docker Containers?

August 15, 2019 Comments Off on How Can I View Logs from Specific Docker Containers? 
sudo hunt logs web
sudo hunt logs api
sudo hunt logs db
sudo hunt logs auth

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=866

Read More

Can I Change Where the Docker Files Are Stored?

August 15, 2019 Comments Off on Can I Change Where the Docker Files Are Stored?

Here’s how you can switch the docker storage location.

First, stop the docker daemon.

sudo systemctl stop docker

Next, move your docker directory. In this example we are moving the directory to /hunt/docker but you can choose your own location as long as you change the directory in the subsequent steps as well.

sudo mv /var/lib/docker /hunt/docker

Create /etc/docker/daemon.json and make it look like this:

{
"data-root": "/hunt/docker"
}

Or if the file already exists then add the “data-root” line immediately after the opening brace like this:

{
"data-root": "/hunt/docker",
...existing contents
}

Then start the docker daemon again:

sudo systemctl start docker

At this point you should be able to access AC-Hunter through the web interface, but if not you can try starting it manually using:

sudo hunt up -d --force-recreate

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=864

Read More

Removing Old Docker Images

August 15, 2019 Comments Off on Removing Old Docker Images

From the AC-Hunter system, run:

 

sudo docker image prune

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=853

Read More