- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Does Splunk Add-on for Zeek aka Bro work with the ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know the documentation for Zeek add-on says there is support for specific versions
Zeek aka Bro versions 2.1, 2.2, 2.3, 2.4, 2.5
But has anyone used it with Zeek version 3.+???
OR does anyone have a suggestion to onboard Zeek 3+ ???
Is sending as json format the best option?
TY!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently using it with Zeek version 3.0.8 on Security Onion 16.04.7.1
No issues with with JSON format. The add-on itself is rather lacking in the sourcetypes and covers just the main ones like conn, dns, ssl... definitely add the ones you would like to parse a little more.
I personally like the JSON format more than TSV but it does support that fine as well with its sourcetype autotyping/dynamic extraction.
I would beware of the TIME_FORMAT in props.conf as Zeek by default uses epoch but Security Onion has been configured to use ISO8601
If using ISO8601 substitute TIME_FORMAT = %s.%6N for TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6%z
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently using it with Zeek version 3.0.8 on Security Onion 16.04.7.1
No issues with with JSON format. The add-on itself is rather lacking in the sourcetypes and covers just the main ones like conn, dns, ssl... definitely add the ones you would like to parse a little more.
I personally like the JSON format more than TSV but it does support that fine as well with its sourcetype autotyping/dynamic extraction.
I would beware of the TIME_FORMAT in props.conf as Zeek by default uses epoch but Security Onion has been configured to use ISO8601
If using ISO8601 substitute TIME_FORMAT = %s.%6N for TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6%z
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply.
We could not get the add-on to work with our 3.x version of Zeek for some reason. Maybe we will try again. Json format is working fine for us as well.
We did see a strange Splunk Time Stamp issue for specific Zeek sourcetypes where Splunk shuffled some of the current events (with recent epoch time) back in time, giving the events a time stamp of years earlier. We fixed it with a couple of sedcmd entries in props.conf, seems to be ok now.
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
