Zeek is an open-source network security monitoring tool capable of passively analyzing network traffic and generating a number of logs describing the activity it sees.
Zeek can be used to detect attacks and probes with a variety of different analyzers and scripts. This technology pack processes Zeek log messages by providing normalization, enrichment, and GIM categorization of common events of interest.
Supported Versions
-
Zeek 5.0.9+
-
Filebeat 7.13+ (ndjson parser)
Requirements
-
Graylog Server 5.0.3+ with a valid Enterprise license
-
Configured Beats input
Stream Configuration
This technology pack includes 1 stream:
- "Illuminate:Zeek Messages"
Index Set Configuration
This technology pack includes 1 index set definition:
- "Zeek Logs"
Log Format Example
An example of a Zeek conn.log message delivered via Filebeat in GELF format:
Zeek conn.log (Filebeat GELF)
{"filebeat_id_orig_p":58405,"filebeat_log_offset":908201,"filebeat_agent_name":"snort1","filebeat_history":"ShADadFf","filebeat_resp_pkts":7,"filebeat_id_orig_h":"74.96.110.140","filebeat_event_source_product":"zeek","beats_type":"filebeat","filebeat_@metadata_beat":"filebeat","filebeat_ts":"2023-06-05T14:15:05.682220Z","filebeat_@timestamp":"2023-06-05T14:15:23.109Z","filebeat_agent_type":"filebeat","filebeat_@metadata_version":"8.6.2","filebeat_host_name":"snort1","filebeat_proto":"tcp","filebeat_agent_version":"8.6.2","filebeat_orig_ip_bytes":1234,"filebeat_agent_ephemeral_id":"6a114e83-ca97-4925-b4c6-8971c97d191b","filebeat_local_orig":true,"filebeat_orig_bytes":942,"filebeat_input_type":"filestream","filebeat_id_resp_h":"172.65.251.78","filebeat_orig_pkts":7,"filebeat_resp_bytes":1960,"filebeat_duration":10.197248935699463,"message":"-","filebeat_ecs_version":"8.0.0","filebeat_id_resp_p":443,"filebeat_uid":"CyRQBS1i6zJKpZXgHl","filebeat_service":"ssl","filebeat_missed_bytes":0,"filebeat_@metadata_type":"_doc","filebeat_conn_state":"SF","filebeat_resp_ip_bytes":2252,"filebeat_local_resp":false,"filebeat_agent_id":"c2c08007-50ba-4d8e-948b-ca484ef0ece2","filebeat_log_file_path":"/opt/zeek5/logs/current/conn.log","host":"bg-devel","level":6,"replayed_log":"true"}
Log Collection
This pack processes Zeek JSON logs delivered via Filebeat. Zeek must be configured to log in JSON format, and Filebeat must be configured to parse and deliver the logs to a Graylog Beats input.
Zeek Configuration
-
Zeek must be configured to log in JSON format. Any existing logging configuration can still be used separately, but this technology pack requires the JSON configuration below.
-
The ISO8601 setting is crucial for proper timestamp processing.
-
Edit json-logs.zeek at
/zeek_install_path/share/zeek/policy/tuning/:Copy##! Loading this script will cause all logs to be written
##! out as JSON by default.
redef LogAscii::use_json=T;
redef LogAscii::json_timestamps = JSON::TS_ISO8601;
redef LogAscii::json_include_unset_fields=T; -
Edit local.zeek at
/zeek_install_path/share/zeek/site/and add the following lines:-
@load packages -
@load policy/tuning/json-logs.zeek
-
-
Additional information: Zeek download | Zeek documentation
Filebeat Configuration
-
Create a matching Beats input in Graylog.
-
Ensure that the option Do not add Beats type as prefix is disabled.
-
Configure Filebeat to ship Zeek logs to Graylog. The event_source_product: zeek field and ndjson parser with target: zeek are critical for proper identification and parsing.
-
If Zeek logs are stored in a location other than the default, update the paths accordingly.
-
Example filebeat.yml configuration:
Copy- type: filestream
id: zeek-filestream
enabled: true
paths:
- /zeek_install_path/logs/current/*.log
parsers:
- ndjson:
target: "zeek"
add_error_key: true
overwrite_keys: true
fields:
event_source_product: zeek
fields_under_root: true -
Additional information: Filebeat download | Filebeat configuration
What is Provided
-
Rules to normalize and enrich Zeek log messages.
Events Processed by This Technology Pack
This pack supports 63 Zeek log types. The following log types receive specific field extraction and GIM categorization. Generic processing is provided for all other log types.
-
conn.log - TCP/UDP/ICMP connections
-
dns.log - DNS activity
-
http.log - HTTP requests and replies
-
ntlm.log - NTLM authentication
-
ssl.log - SSL/TLS handshake info
-
dce_rpc.log - Distributed Computing Environment/RPC
-
ntp.log - Network Time Protocol
-
weird.log - Unexpected network-level activity
-
files.log - File analysis results
-
x509.log - X.509 certificate info
-
pe.log - Portable Executable analysis
-
ocsp.log - Online Certificate Status Protocol
-
loaded_scripts.log - Scripts loaded by Zeek
GIM Categorization
GIM categorization is provided for the following Zeek log types:
| Zeek Log Type | gim_event_type_code | GIM Category | GIM Subcategory | gim_event_type |
|---|---|---|---|---|
| conn | 120500 | network | network.flow | flow record |
| dns (request) | 140000 | name resolution | name resolution.dns request | dns query |
| dns (response) | 140200 | name resolution | name resolution.dns answer | dns response |
| http | 180200 | http | http.communication | http communication |
| ntlm | 100500 | authentication | authentication.credential validation | credential validation |
| ssl | 129999 | network | network.default | network message |
| dce_rpc | 129999 | network | network.default | network message |
| ntp | 129999 | network | network.default | network message |
| weird | 129999 | network | network.default | network message |
Zeek Spotlight Content Pack
This spotlight offers a dashboard with 1 tab:
Overview
