You can find Zeek for download at the Zeek website. You should give it a spin as it makes getting started with the Elastic Stack fast and easy.
You can easily spin up a cluster with a 14-day free trial, no credit card needed. My Elastic cluster was created using Elasticsearch Service, which is hosted in Elastic Cloud. I assume that you already have an Elasticsearch cluster configured with both Filebeat and Zeek installed. Additionally, I will detail how to configure Zeek to output data in JSON format, which is required by Filebeat. I will also cover details specific to the GeoIP enrichment process for displaying the events on the Elastic Security map.
We will be using Filebeat to parse Zeek data. The modules achieve this by combining automatic default paths based on your operating system. Filebeat, a member of the Beat family, comes with internal modules that simplify the collection, parsing, and visualization of common log formats.
Beats ship data that conforms with the Elastic Common Schema (ECS). The steps detailed in this blog should make it easier to understand the necessary steps to customize your configuration with the objective of being able to see Zeek data within Elastic Security.īeats are lightweight shippers that are great for collecting and shipping data from or near the edge of your network to an Elasticsearch cluster. The default configuration for Filebeat and its modules work for many environments however, you may find a need to customize settings specific to your environment. In this blog, I will walk you through the process of configuring both Filebeat and Zeek (formerly known as Bro), which will enable you to perform analytics on Zeek data using Elastic Security.
0 kommentar(er)
