« Previous 1 2
Network monitoring with Zeek
Light into Darkness
Converting Logs to JSON
To make the log data easier to handle, you can change the tab-delimited logging to a more modern JSON format. To adapt the configuration, add the following two lines to your /opt/zeek/share/zeek/site/local.zeek file:
# Output in JSON format @load policy/tuning/json-logs.zeek
Now, with the deploy command used earlier, restart the Zeek process and check the format in the logfiles. For further analysis of your log data, you can also connect tools that expect input in JSON format.
Conclusions
For administrators, reliable insights into network traffic are a must-have. They not only help you identify and analyze problems, but detect possible attackers. Zeek can already look back on more than 20 years of development, delivering a classic approach to monitoring network activity. The tool comes with its own policy scripting language [3] for customization. With its help, you can flexibly adapt your monitoring setup to suit your needs or expand the analysis options to include more network protocols, if required.
Infos
- Paxson, V. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks , 1999;31(23-24):2435-2463, https://www.icir.org/vern/papers/bro-CN99.pdf
- Zeek packages: https://software.opensuse.org//download.html?project=security:zeek&package=zeek
- Policy scripts: https://docs.zeek.org/en/master/scripting/basics.html
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Security analysis with Security Onion
Security Onion offers a comprehensive security suite for intrusion detection that involves surprisingly little work. -
Centralized monitoring and intrusion detection
Security Onion bundles numerous individual Linux tools that help you monitor networks or fend off attacks to create a standardized platform for securing IT environments.