Troubleshooting Log Transfer
The logs for each machine get placed in a different directory on the AC-Hunter system for each Zeek sensor. They should be under /opt/zeek/remotelogs/{zeek_sensor_name}/ , with additional directories under that for each calendar day (such as /opt/zeek/remotelogs/zeek1__1921681213/2021-04-01/).
Please log in to your Zeek system as the user under which you installed Zeek and make sure you can ssh to the AC-Hunter system with:
ssh [email protected] -i "$HOME/.ssh/id_rsa_dataimport" 'echo Successfully connected.'
The “Successfully connected.” response should come back without having to enter a password; if you are asked for a password there’s something wrong with the ssh key setup.
As that same user on the Zeek sensor, please run:
/usr/local/bin/zeek_log_transport.sh --dest ACH.IP.ADDRESS --localdir /opt/zeek/logs/
Replace ACH.IP.ADDRESS with the address of the AC-Hunter system. If your logs are stored somewhere other than /opt/zeek/logs/ on this sensor, adjust that too. This should start sending logs over to the AC-Hunter system. It’s OK to leave this running; any files you successfully transfer now will not be resent later.
Please check the file that initiates sending logs:
cat /etc/cron.d/zeek_log_transport
It should look like the following:
5 * * * * senduser /usr/local/bin/zeek_log_transport.sh --dest ACH.IP.ADDRESS --localdir /opt/zeek/logs/
“senduser” will need to be the account name on this system under which you did the installation, “ACH.IP.ADDRESS” should be the AC-Hunter system’s IP, and “/opt/zeek/logs/” will need to be the directory where you have Zeek logs on this system.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=861