Importing Zeek Logs Manually Into RITA or AC-Hunter

January 9, 2023
F
Importing Zeek Logs Manually Into RITA or AC-Hunter

AC-Hunter normally imports the most recent 24 hours of logs for you, discarding old logs when new ones show up. There may be times when you want to import logs by hand, such as when:

– you’re bringing over logs from a sensor that doesn’t normally submit them.
– you’ve upgraded AC-Hunter and have a note that a database needs to be re-imported.
– you’d like to look at a time range smaller than a day.

 

Before you create a database, make sure the name you want to use doesn’t exist by checking the output of:

rita list

If that database name does exist, you can delete it with:

rita delete database_name

Finally, create a database from these logs by running the following command:

rita import /directory/that/holds/the/logs/ database_name

This command may take a while – the import process uses a lot of processor time, memory, and disk.

 

Note that this is the same command for both RITA and AC-Hunter. Once that has finished running, there will be a new database that you can use in future RITA commands or find in AC-Hunter’s database list (go to Dashboard, Gear icon, Database tab).

If you’re looking to replace a rolling database (one whose name ends in “-rolling”), please contact [email protected].

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=7732

Category: Logs, Databases & Storage Management
Tags: