Network monitoring with Zeek

Light into Darkness

Converting Logs to JSON

To make the log data easier to handle, you can change the tab-delimited logging to a more modern JSON format. To adapt the configuration, add the following two lines to your /opt/zeek/share/zeek/site/local.zeek file:

# Output in JSON format
@load policy/tuning/json-logs.zeek

Now, with the deploy command used earlier, restart the Zeek process and check the format in the logfiles. For further analysis of your log data, you can also connect tools that expect input in JSON format.

Conclusions

For administrators, reliable insights into network traffic are a must-have. They not only help you identify and analyze problems, but detect possible attackers. Zeek can already look back on more than 20 years of development, delivering a classic approach to monitoring network activity. The tool comes with its own policy scripting language [3] for customization. With its help, you can flexibly adapt your monitoring setup to suit your needs or expand the analysis options to include more network protocols, if required.

Infos

  1. Paxson, V. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks , 1999;31(23-24):2435-2463, https://www.icir.org/vern/papers/bro-CN99.pdf
  2. Zeek packages: https://software.opensuse.org//download.html?project=security:zeek&package=zeek
  3. Policy scripts: https://docs.zeek.org/en/master/scripting/basics.html

The Author

Dr. Matthias Wübbeling is an IT security enthusiast, scientist, author, consultant, and speaker. As a Lecturer at the University of Bonn in Germany and Researcher at Fraunhofer FKIE, he works on projects in network security, IT security awareness, and protection against account takeover and identity theft. He is the CEO of the university spin-off Identeco, which keeps a leaked identity database to protect employee and customer accounts against identity fraud. As a practitioner, he supports the German Informatics Society (GI), administrating computer systems and service back ends. He has published more than 100 articles on IT security and administration.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus