Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Zeek Network Security Monitor (Previously known as Bro)

Support Added: FortiSIEM 5.2.5 (Installed on Security Onion)

Last Modification: FortiSIEM 6.3.1

Vendor Version Tested: Not Provided

Vendor: Zeek

Product Information: https://zeek.org/

 

Log Information

Log Collection Method Log Body Format Accepted Purpose
Syslog (via Rsyslog) JSON Security and Compliance

Event Types

In 6.3.1, there are 29 event types.

Rules

There are no specific rules for Zeek Network Security Monitor.

Reports

There are no specific reports for Zeek Network Security Monitor.

Configuration

To forward logs to FortiSIEM, they must be configured to follow a specific format. Prior to this configuration, you may need to configure Zeek to output logs to JSON format. If you are using Security Onion with Zeek, you can skip the Configuring Zeek to Output Logs to JSON as Security Onion by default configures Zeek for JSON.

Configuring Zeek to Output Logs to JSON

To configure Zeek to output logs to JSON, take the following steps:

  1. Stop Zeek if it is running by using the following command.

    zeekctl stop

  2. Edit /opt/zeek/share/zeek/site/local.zeek by adding the following line.

    @load policy/tuning/json-logs.zeek

  3. Restart Zeek and confirm logs are stored in JSON format by running the follow commands.

    zeekctl deploy

    cd /opt/zeek/logs/current

    less conn.logs

FortiSIEM Expected Format

Rsyslog or Syslog NG configuration is required to pickup the desired logs using FortiSIEM's expected format.

Example Format of Log:
<190>Jun 16 17:55:50 host1 zeek_conn: {}

 

The log type is appended to zeek_<log file name>. See here for more information.

Rsyslog or Syslog-ng must be configured to pick up the defined log files and put them in the correct expected header format.

<190>Jun 16 17:55:50 host1 zeek_<log_file_name> <log body>

Example:

<190>Jun 16 17:55:50 co-nuc zeek_conn: {"ts":1623862540.702791,"uid":"CBeSUC20TqYMeNKaL4","id.orig_h":"192.168.77.115","id.orig_p":58734,"id.resp_h":"1.1.1.1","id.resp_p":443,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0}

This format is achieved in rsyslog if you specify an input file tag when opening the log file as shown here.

$InputFileTag zeek_conn:

Choose the configuration that matches your environment.

Zeek Deployment through Security Onion Rsyslog Configuration

If your Zeek deployment is through Security Onion, and you are using the Centos 7 + docker ISO download, you can use rsyslog to collect the log files. The path to your logs should be here: /nsm/zeek/logs/current. The default format is already JSON.

Under this folder, you have several defaults, listed here:

broker.log
capture_loss.log
cluster.log
conn.log
loaded_scripts.log
notice.log
packet_filter.log
reporter.log
stats.log
stderr.log
stdout.log
weird.log

Take the following steps:

  1. Open the Rsyslog file using the following command.

    vi /etc/rsyslog.conf

  2. Under the Modules section, add the following line.

    $ModLoad imfile

  3. In between the Global Directives and Rules sections, add the following:

    $InputFileName /nsm/zeek/logs/current/notice.log
    $InputFileTag zeek_notice:
    $InputFileStateFile stat-zeek_notice
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/cluster.log
    $InputFileTag zeek_cluster:
    $InputFileStateFile stat-zeek_cluster
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/loaded_scripts.log
    $InputFileTag zeek_loaded_scripts:
    $InputFileStateFile stat-zeek_loaded_scripts
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/conn.log
    $InputFileTag zeek_conn:
    $InputFileStateFile stat-zeek_conn
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/dns.log
    $InputFileTag zeek_dns:
    $InputFileStateFile stat-zeek_dns
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/http.log
    $InputFileTag zeek_http:
    $InputFileStateFile stat-zeek_http
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/smtp.log
    $InputFileTag zeek_smtp:
    $InputFileStateFile stat-zeek_smtp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/ssh.log
    $InputFileTag zeek_ssh:
    $InputFileStateFile stat-zeek_ssh
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/dhcp.log
    $InputFileTag zeek_dhcp:
    $InputFileStateFile stat-zeek_dhcp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/ntp.log
    $InputFileTag zeek_ntp:
    $InputFileStateFile stat-zeek_ntp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/dce_rpc.log
    $InputFileTag zeek_dce_rpc:
    $InputFileStateFile stat-dce_rpc
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/kerberos.log
    $InputFileTag zeek_kerberos:
    $InputFileStateFile stat-kerberos
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/ntlm.log
    $InputFileTag zeek_ntlm:
    $InputFileStateFile stat-ntlm
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/ssl.log
    $InputFileTag zeek_ssl:
    $InputFileStateFile stat-zeek_ssl
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/files.log
    $InputFileTag zeek_files:
    $InputFileStateFile stat-zeek_files
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/ftp.log
    $InputFileTag zeek_ftp:
    $InputFileStateFile stat-zeek_ftp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/x509.log
    $InputFileTag zeek_x509:
    $InputFileStateFile stat-zeek_x509
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/smtp.log
    $InputFileTag zeek_smtp:
    $InputFileStateFile stat-zeek_smtp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/ssh.log
    $InputFileTag zeek_ssh:
    $InputFileStateFile stat-zeek_ssh
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/pe.log
    $InputFileTag zeek_pe:
    $InputFileStateFile stat-zeek_pe
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/ftp.log
    $InputFileTag zeek_ftp:
    $InputFileStateFile stat-zeek_ftp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/rdp.log
    $InputFileTag zeek_rdp:
    $InputFileStateFile stat-zeek_rdp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/traceroute.log
    $InputFileTag zeek_irc:
    $InputFileStateFile stat-zeek_traceroute
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/dpd.log
    $InputFileTag zeek_dpd:
    $InputFileStateFile stat-zeek_dpd
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/software.log
    $InputFileTag zeek_software:
    $InputFileStateFile stat-zeek_software
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/weird.log
    $InputFileTag zeek_weird:
    $InputFileStateFile stat-zeek_weird
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/known_services.log
    $InputFileTag zeek_known_services:
    $InputFileStateFile stat-zeek_known_services
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/known_hosts.log
    $InputFileTag zeek_known_hosts:
    $InputFileStateFile stat-zeek_known_hosts
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/known_certs.log
    $InputFileTag zeek_known_certs:
    $InputFileStateFile stat-zeek_known_certs
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/capture_loss.log
    $InputFileTag zeek_capture_loss:
    $InputFileStateFile stat-zeek_capture_loss
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
  4. at the bottom of the Rules section, add the following check for new lines every second.

    $InputFilePollingInterval 1

    local7.info @<ip or FQDN of the FortiSIEM collector>

  5. Save the file.

  6. Restart Rsyslog by running the following command.

    systemctl restart rsyslog

As events occur for Zeek, these logs will be sent to the location specified under @<ip or FQDN of the FortiSIEM collector>.

 

Standalone Zeek Deployment Rsyslog Configuration

For standalone Zeek deployment, log file location is most typically here:

/opt/zeek/logs/current

If your log file path is neither of these, replace the following commands with your correct path.

Take the following steps:

  1. Open the Rsyslog file using the following command.

    vi /etc/rsyslog.conf

  2. Under the Modules section, add the following line.

    $ModLoad imfile

  3. In between the Global Directives and Rules sections, add the following:

    $InputFileName /opt/zeek/logs/current/notice.log
    $InputFileTag zeek_notice:
    $InputFileStateFile stat-zeek_notice
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/conn.log
    $InputFileTag zeek_conn:
    $InputFileStateFile stat-zeek_conn
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/dns.log
    $InputFileTag zeek_dns:
    $InputFileStateFile stat-zeek_dns
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/http.log
    $InputFileTag zeek_http:
    $InputFileStateFile stat-zeek_http
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/smtp.log
    $InputFileTag zeek_smtp:
    $InputFileStateFile stat-zeek_smtp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/ssh.log
    $InputFileTag zeek_ssh:
    $InputFileStateFile stat-zeek_ssh
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/dhcp.log
    $InputFileTag zeek_dhcp:
    $InputFileStateFile stat-zeek_dhcp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/ntp.log
    $InputFileTag zeek_ntp:
    $InputFileStateFile stat-zeek_ntp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/dce_rpc.log
    $InputFileTag zeek_dce_rpc:
    $InputFileStateFile stat-dce_rpc
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/kerberos.log
    $InputFileTag zeek_kerberos:
    $InputFileStateFile stat-kerberos
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/ntlm.log
    $InputFileTag zeek_ntlm:
    $InputFileStateFile stat-ntlm
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/ssl.log
    $InputFileTag zeek_ssl:
    $InputFileStateFile stat-zeek_ssl
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/files.log
    $InputFileTag zeek_files:
    $InputFileStateFile stat-zeek_files
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/ftp.log
    $InputFileTag zeek_ftp:
    $InputFileStateFile stat-zeek_ftp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/x509.log
    $InputFileTag zeek_x509:
    $InputFileStateFile stat-zeek_x509
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/smtp.log
    $InputFileTag zeek_smtp:
    $InputFileStateFile stat-zeek_smtp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/ssh.log
    $InputFileTag zeek_ssh:
    $InputFileStateFile stat-zeek_ssh
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/pe.log
    $InputFileTag zeek_pe:
    $InputFileStateFile stat-zeek_pe
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/ftp.log
    $InputFileTag zeek_ftp:
    $InputFileStateFile stat-zeek_ftp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/rdp.log
    $InputFileTag zeek_rdp:
    $InputFileStateFile stat-zeek_rdp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/traceroute.log
    $InputFileTag zeek_irc:
    $InputFileStateFile stat-zeek_traceroute
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/dpd.log
    $InputFileTag zeek_dpd:
    $InputFileStateFile stat-zeek_dpd
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/software.log
    $InputFileTag zeek_software:
    $InputFileStateFile stat-zeek_software
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/weird.log
    $InputFileTag zeek_weird:
    $InputFileStateFile stat-zeek_weird
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/known_services.log
    $InputFileTag zeek_known_services:
    $InputFileStateFile stat-zeek_known_services
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/known_hosts.log
    $InputFileTag zeek_known_hosts:
    $InputFileStateFile stat-zeek_known_hosts
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/known_certs.log
    $InputFileTag zeek_known_certs:
    $InputFileStateFile stat-zeek_known_certs
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/capture_loss.log
    $InputFileTag zeek_capture_loss:
    $InputFileStateFile stat-zeek_capture_loss
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
  4. At the bottom of the Rules section, add the following check for new lines every second.

    $InputFilePollingInterval 1
    local7.info @<ip or FQDN of FortiSIEM collector>
    
  5. Save the file.

  6. Restart Rsyslog by running the following command.

    systemctl restart rsyslog

As events occur for Zeek, these logs will be sent to the location specified under @<ip or FQDN of FortiSIEM collector>.

 

Zeek Network Security Monitor (Previously known as Bro)

Support Added: FortiSIEM 5.2.5 (Installed on Security Onion)

Last Modification: FortiSIEM 6.3.1

Vendor Version Tested: Not Provided

Vendor: Zeek

Product Information: https://zeek.org/

 

Log Information

Log Collection Method Log Body Format Accepted Purpose
Syslog (via Rsyslog) JSON Security and Compliance

Event Types

In 6.3.1, there are 29 event types.

Rules

There are no specific rules for Zeek Network Security Monitor.

Reports

There are no specific reports for Zeek Network Security Monitor.

Configuration

To forward logs to FortiSIEM, they must be configured to follow a specific format. Prior to this configuration, you may need to configure Zeek to output logs to JSON format. If you are using Security Onion with Zeek, you can skip the Configuring Zeek to Output Logs to JSON as Security Onion by default configures Zeek for JSON.

Configuring Zeek to Output Logs to JSON

To configure Zeek to output logs to JSON, take the following steps:

  1. Stop Zeek if it is running by using the following command.

    zeekctl stop

  2. Edit /opt/zeek/share/zeek/site/local.zeek by adding the following line.

    @load policy/tuning/json-logs.zeek

  3. Restart Zeek and confirm logs are stored in JSON format by running the follow commands.

    zeekctl deploy

    cd /opt/zeek/logs/current

    less conn.logs

FortiSIEM Expected Format

Rsyslog or Syslog NG configuration is required to pickup the desired logs using FortiSIEM's expected format.

Example Format of Log:
<190>Jun 16 17:55:50 host1 zeek_conn: {}

 

The log type is appended to zeek_<log file name>. See here for more information.

Rsyslog or Syslog-ng must be configured to pick up the defined log files and put them in the correct expected header format.

<190>Jun 16 17:55:50 host1 zeek_<log_file_name> <log body>

Example:

<190>Jun 16 17:55:50 co-nuc zeek_conn: {"ts":1623862540.702791,"uid":"CBeSUC20TqYMeNKaL4","id.orig_h":"192.168.77.115","id.orig_p":58734,"id.resp_h":"1.1.1.1","id.resp_p":443,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0}

This format is achieved in rsyslog if you specify an input file tag when opening the log file as shown here.

$InputFileTag zeek_conn:

Choose the configuration that matches your environment.

Zeek Deployment through Security Onion Rsyslog Configuration

If your Zeek deployment is through Security Onion, and you are using the Centos 7 + docker ISO download, you can use rsyslog to collect the log files. The path to your logs should be here: /nsm/zeek/logs/current. The default format is already JSON.

Under this folder, you have several defaults, listed here:

broker.log
capture_loss.log
cluster.log
conn.log
loaded_scripts.log
notice.log
packet_filter.log
reporter.log
stats.log
stderr.log
stdout.log
weird.log

Take the following steps:

  1. Open the Rsyslog file using the following command.

    vi /etc/rsyslog.conf

  2. Under the Modules section, add the following line.

    $ModLoad imfile

  3. In between the Global Directives and Rules sections, add the following:

    $InputFileName /nsm/zeek/logs/current/notice.log
    $InputFileTag zeek_notice:
    $InputFileStateFile stat-zeek_notice
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/cluster.log
    $InputFileTag zeek_cluster:
    $InputFileStateFile stat-zeek_cluster
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/loaded_scripts.log
    $InputFileTag zeek_loaded_scripts:
    $InputFileStateFile stat-zeek_loaded_scripts
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/conn.log
    $InputFileTag zeek_conn:
    $InputFileStateFile stat-zeek_conn
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/dns.log
    $InputFileTag zeek_dns:
    $InputFileStateFile stat-zeek_dns
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/http.log
    $InputFileTag zeek_http:
    $InputFileStateFile stat-zeek_http
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/smtp.log
    $InputFileTag zeek_smtp:
    $InputFileStateFile stat-zeek_smtp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/ssh.log
    $InputFileTag zeek_ssh:
    $InputFileStateFile stat-zeek_ssh
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/dhcp.log
    $InputFileTag zeek_dhcp:
    $InputFileStateFile stat-zeek_dhcp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/ntp.log
    $InputFileTag zeek_ntp:
    $InputFileStateFile stat-zeek_ntp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/dce_rpc.log
    $InputFileTag zeek_dce_rpc:
    $InputFileStateFile stat-dce_rpc
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/kerberos.log
    $InputFileTag zeek_kerberos:
    $InputFileStateFile stat-kerberos
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/ntlm.log
    $InputFileTag zeek_ntlm:
    $InputFileStateFile stat-ntlm
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/ssl.log
    $InputFileTag zeek_ssl:
    $InputFileStateFile stat-zeek_ssl
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/files.log
    $InputFileTag zeek_files:
    $InputFileStateFile stat-zeek_files
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/ftp.log
    $InputFileTag zeek_ftp:
    $InputFileStateFile stat-zeek_ftp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/x509.log
    $InputFileTag zeek_x509:
    $InputFileStateFile stat-zeek_x509
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/smtp.log
    $InputFileTag zeek_smtp:
    $InputFileStateFile stat-zeek_smtp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/ssh.log
    $InputFileTag zeek_ssh:
    $InputFileStateFile stat-zeek_ssh
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/pe.log
    $InputFileTag zeek_pe:
    $InputFileStateFile stat-zeek_pe
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/ftp.log
    $InputFileTag zeek_ftp:
    $InputFileStateFile stat-zeek_ftp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/rdp.log
    $InputFileTag zeek_rdp:
    $InputFileStateFile stat-zeek_rdp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/traceroute.log
    $InputFileTag zeek_irc:
    $InputFileStateFile stat-zeek_traceroute
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/dpd.log
    $InputFileTag zeek_dpd:
    $InputFileStateFile stat-zeek_dpd
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/software.log
    $InputFileTag zeek_software:
    $InputFileStateFile stat-zeek_software
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/weird.log
    $InputFileTag zeek_weird:
    $InputFileStateFile stat-zeek_weird
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/known_services.log
    $InputFileTag zeek_known_services:
    $InputFileStateFile stat-zeek_known_services
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/known_hosts.log
    $InputFileTag zeek_known_hosts:
    $InputFileStateFile stat-zeek_known_hosts
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/known_certs.log
    $InputFileTag zeek_known_certs:
    $InputFileStateFile stat-zeek_known_certs
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /nsm/zeek/logs/current/capture_loss.log
    $InputFileTag zeek_capture_loss:
    $InputFileStateFile stat-zeek_capture_loss
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
  4. at the bottom of the Rules section, add the following check for new lines every second.

    $InputFilePollingInterval 1

    local7.info @<ip or FQDN of the FortiSIEM collector>

  5. Save the file.

  6. Restart Rsyslog by running the following command.

    systemctl restart rsyslog

As events occur for Zeek, these logs will be sent to the location specified under @<ip or FQDN of the FortiSIEM collector>.

 

Standalone Zeek Deployment Rsyslog Configuration

For standalone Zeek deployment, log file location is most typically here:

/opt/zeek/logs/current

If your log file path is neither of these, replace the following commands with your correct path.

Take the following steps:

  1. Open the Rsyslog file using the following command.

    vi /etc/rsyslog.conf

  2. Under the Modules section, add the following line.

    $ModLoad imfile

  3. In between the Global Directives and Rules sections, add the following:

    $InputFileName /opt/zeek/logs/current/notice.log
    $InputFileTag zeek_notice:
    $InputFileStateFile stat-zeek_notice
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/conn.log
    $InputFileTag zeek_conn:
    $InputFileStateFile stat-zeek_conn
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/dns.log
    $InputFileTag zeek_dns:
    $InputFileStateFile stat-zeek_dns
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/http.log
    $InputFileTag zeek_http:
    $InputFileStateFile stat-zeek_http
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/smtp.log
    $InputFileTag zeek_smtp:
    $InputFileStateFile stat-zeek_smtp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/ssh.log
    $InputFileTag zeek_ssh:
    $InputFileStateFile stat-zeek_ssh
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/dhcp.log
    $InputFileTag zeek_dhcp:
    $InputFileStateFile stat-zeek_dhcp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/ntp.log
    $InputFileTag zeek_ntp:
    $InputFileStateFile stat-zeek_ntp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/dce_rpc.log
    $InputFileTag zeek_dce_rpc:
    $InputFileStateFile stat-dce_rpc
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/kerberos.log
    $InputFileTag zeek_kerberos:
    $InputFileStateFile stat-kerberos
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/ntlm.log
    $InputFileTag zeek_ntlm:
    $InputFileStateFile stat-ntlm
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/ssl.log
    $InputFileTag zeek_ssl:
    $InputFileStateFile stat-zeek_ssl
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/files.log
    $InputFileTag zeek_files:
    $InputFileStateFile stat-zeek_files
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/ftp.log
    $InputFileTag zeek_ftp:
    $InputFileStateFile stat-zeek_ftp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/x509.log
    $InputFileTag zeek_x509:
    $InputFileStateFile stat-zeek_x509
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/smtp.log
    $InputFileTag zeek_smtp:
    $InputFileStateFile stat-zeek_smtp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/ssh.log
    $InputFileTag zeek_ssh:
    $InputFileStateFile stat-zeek_ssh
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/pe.log
    $InputFileTag zeek_pe:
    $InputFileStateFile stat-zeek_pe
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/ftp.log
    $InputFileTag zeek_ftp:
    $InputFileStateFile stat-zeek_ftp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/rdp.log
    $InputFileTag zeek_rdp:
    $InputFileStateFile stat-zeek_rdp
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/traceroute.log
    $InputFileTag zeek_irc:
    $InputFileStateFile stat-zeek_traceroute
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/dpd.log
    $InputFileTag zeek_dpd:
    $InputFileStateFile stat-zeek_dpd
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/software.log
    $InputFileTag zeek_software:
    $InputFileStateFile stat-zeek_software
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/weird.log
    $InputFileTag zeek_weird:
    $InputFileStateFile stat-zeek_weird
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/known_services.log
    $InputFileTag zeek_known_services:
    $InputFileStateFile stat-zeek_known_services
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/known_hosts.log
    $InputFileTag zeek_known_hosts:
    $InputFileStateFile stat-zeek_known_hosts
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/known_certs.log
    $InputFileTag zeek_known_certs:
    $InputFileStateFile stat-zeek_known_certs
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
    $InputFileName /opt/zeek/logs/current/capture_loss.log
    $InputFileTag zeek_capture_loss:
    $InputFileStateFile stat-zeek_capture_loss
    $InputFileSeverity info
    $InputFileFacility local7
    $InputRunFileMonitor
    
  4. At the bottom of the Rules section, add the following check for new lines every second.

    $InputFilePollingInterval 1
    local7.info @<ip or FQDN of FortiSIEM collector>
    
  5. Save the file.

  6. Restart Rsyslog by running the following command.

    systemctl restart rsyslog

As events occur for Zeek, these logs will be sent to the location specified under @<ip or FQDN of FortiSIEM collector>.