Can I Send Zeek Logs from an Existing Zeek Sensor to AC-Hunter to Be Analyzed?

August 15, 2019
F
Can I Send Zeek Logs from an Existing Zeek Sensor to AC-Hunter to Be Analyzed?

Yes.

 

  1. Log in to your Zeek sensor as a user that can read the Zeek logs and can run commands under sudo
  2. Run the following command.  You’ll need to replace “my.achunter.system” with the hostname or ip address of your AC-Hunter system.  “[/zeek/log/top/dir/]” is an optional parameter pointing at the top level directory under which your Zeek logs can be found.  You only need to specify this if it’s not automatically detected. 
    curl -fsSL https://raw.githubusercontent.com/activecm/zeek-log-transport/master/connect_sensor.sh -O

curl -fsSL https://raw.githubusercontent.com/activecm/shell-lib/master/acmlib.sh -O

curl -fsSL https://raw.githubusercontent.com/activecm/zeek-log-transport/master/zeek_log_transport.sh -O

bash connect_sensor.sh my.achunter.system [/zeek/log/top/dir/]
  3. If you wish to send your logs to a second AC-Hunter system, repeat step 2 using the second system name or IP address.

 

 

Note; common directories that hold Zeek logs include:

/opt/zeek/logs/ #Zeek as installed by Rita
/usr/local/zeek/logs/ #Zeek default
/var/lib/docker/volumes/var_log_zeek/_data/ #Blue Vector
/nsm/zeek/logs #Security Onion
/storage/zeek/logs/

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=863

Category: Network Sensor Management
Tags: