Can I Send Zeek Logs from an Existing Zeek Sensor to AC-Hunter to Be Analyzed?
Yes.
- Log in to your Zeek sensor as a user that can read the Zeek logs and can run commands under sudo
- Run the following command. You’ll need to replace “my.achunter.system” with the hostname or ip address of your AC-Hunter system. “[/zeek/log/top/dir/]” is an optional parameter pointing at the top level directory under which your Zeek logs can be found. You only need to specify this if it’s not automatically detected.
curl -fsSL https://raw.githubusercontent.com/activecm/zeek-log-transport/master/connect_sensor.sh -O curl -fsSL https://raw.githubusercontent.com/activecm/shell-lib/master/acmlib.sh -O curl -fsSL https://raw.githubusercontent.com/activecm/zeek-log-transport/master/zeek_log_transport.sh -O bash connect_sensor.sh my.achunter.system [/zeek/log/top/dir/]
- If you wish to send your logs to a second AC-Hunter system, repeat step 2 using the second system name or IP address.
Note; common directories that hold Zeek logs include:
/opt/zeek/logs/ #Zeek as installed by Rita /usr/local/zeek/logs/ #Zeek default /var/lib/docker/volumes/var_log_zeek/_data/ #Blue Vector /nsm/zeek/logs #Security Onion /storage/zeek/logs/
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=863
Category:
Network Sensor Management