I know the documentation for Zeek add-on says there is support for specific versions
Zeek aka Bro versions 2.1, 2.2, 2.3, 2.4, 2.5
But has anyone used it with Zeek version 3.+???
OR does anyone have a suggestion to onboard Zeek 3+ ???
Is sending as json format the best option?
TY!
Currently using it with Zeek version 3.0.8 on Security Onion 16.04.7.1
No issues with with JSON format. The add-on itself is rather lacking in the sourcetypes and covers just the main ones like conn, dns, ssl... definitely add the ones you would like to parse a little more.
I personally like the JSON format more than TSV but it does support that fine as well with its sourcetype autotyping/dynamic extraction.
I would beware of the TIME_FORMAT in props.conf as Zeek by default uses epoch but Security Onion has been configured to use ISO8601
If using ISO8601 substitute TIME_FORMAT = %s.%6N for TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6%z
Currently using it with Zeek version 3.0.8 on Security Onion 16.04.7.1
No issues with with JSON format. The add-on itself is rather lacking in the sourcetypes and covers just the main ones like conn, dns, ssl... definitely add the ones you would like to parse a little more.
I personally like the JSON format more than TSV but it does support that fine as well with its sourcetype autotyping/dynamic extraction.
I would beware of the TIME_FORMAT in props.conf as Zeek by default uses epoch but Security Onion has been configured to use ISO8601
If using ISO8601 substitute TIME_FORMAT = %s.%6N for TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6%z
Thanks for the reply.
We could not get the add-on to work with our 3.x version of Zeek for some reason. Maybe we will try again. Json format is working fine for us as well.
We did see a strange Splunk Time Stamp issue for specific Zeek sourcetypes where Splunk shuffled some of the current events (with recent epoch time) back in time, giving the events a time stamp of years earlier. We fixed it with a couple of sedcmd entries in props.conf, seems to be ok now.