Troubleshooting Log Transfer

August 15, 2019
F
Troubleshooting Log Transfer

The logs for each machine get placed in a different directory on the AC-Hunter system for each Zeek sensor. They should be under /opt/zeek/remotelogs/{zeek_sensor_name}/ , with additional directories under that for each calendar day (such as /opt/zeek/remotelogs/zeek1__1921681213/2021-04-01/).

Please log in to your Zeek system as the user under which you installed Zeek and make sure you can ssh to the AC-Hunter system with:

ssh [email protected] -i "$HOME/.ssh/id_rsa_dataimport" 'echo Successfully connected.'

The “Successfully connected.” response should come back without having to enter a password; if you are asked for a password there’s something wrong with the ssh key setup.

As that same user on the Zeek sensor, please run:

/usr/local/bin/zeek_log_transport.sh --dest ACH.IP.ADDRESS --localdir /opt/zeek/logs/

Replace ACH.IP.ADDRESS with the address of the AC-Hunter system. If your logs are stored somewhere other than /opt/zeek/logs/ on this sensor, adjust that too. This should start sending logs over to the AC-Hunter system. It’s OK to leave this running; any files you successfully transfer now will not be resent later.

Please check the file that initiates sending logs:

cat /etc/cron.d/zeek_log_transport

It should look like the following:

5 * * * * senduser /usr/local/bin/zeek_log_transport.sh --dest ACH.IP.ADDRESS --localdir /opt/zeek/logs/

“senduser” will need to be the account name on this system under which you did the installation, “ACH.IP.ADDRESS” should be the AC-Hunter system’s IP, and “/opt/zeek/logs/” will need to be the directory where you have Zeek logs on this system.

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=861

Categories: Logs, Databases & Storage Management, Network Sensor Management
Tags: