« Previous 1 2
Network monitoring with Zeek
Light into Darkness
Converting Logs to JSON
To make the log data easier to handle, you can change the tab-delimited logging to a more modern JSON format. To adapt the configuration, add the following two lines to your /opt/zeek/share/zeek/site/local.zeek
file:
# Output in JSON format @load policy/tuning/json-logs.zeek
Now, with the deploy
command used earlier, restart the Zeek process and check the format in the logfiles. For further analysis of your log data, you can also connect tools that expect input in JSON format.
Conclusions
For administrators, reliable insights into network traffic are a must-have. They not only help you identify and analyze problems, but detect possible attackers. Zeek can already look back on more than 20 years of development, delivering a classic approach to monitoring network activity. The tool comes with its own policy scripting language [3] for customization. With its help, you can flexibly adapt your monitoring setup to suit your needs or expand the analysis options to include more network protocols, if required.
Infos
- Paxson, V. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks , 1999;31(23-24):2435-2463, https://www.icir.org/vern/papers/bro-CN99.pdf
- Zeek packages: https://software.opensuse.org//download.html?project=security:zeek&package=zeek
- Policy scripts: https://docs.zeek.org/en/master/scripting/basics.html
« Previous 1 2
Buy this article as PDF
(incl. VAT)