Zeek Network Security Monitor (Previously known as Bro)
Support Added: FortiSIEM 5.2.5 (Installed on Security Onion)
Last Modification: FortiSIEM 6.3.1
Vendor Version Tested: Not Provided
Vendor: Zeek
Product Information: https://zeek.org/
Log Information
Log Collection Method | Log Body Format Accepted | Purpose |
---|---|---|
Syslog (via Rsyslog) | JSON | Security and Compliance |
Event Types
In 6.3.1, there are 29 event types.
Rules
There are no specific rules for Zeek Network Security Monitor.
Reports
There are no specific reports for Zeek Network Security Monitor.
Configuration
To forward logs to FortiSIEM, they must be configured to follow a specific format. Prior to this configuration, you may need to configure Zeek to output logs to JSON format. If you are using Security Onion with Zeek, you can skip the Configuring Zeek to Output Logs to JSON as Security Onion by default configures Zeek for JSON.
Configuring Zeek to Output Logs to JSON
To configure Zeek to output logs to JSON, take the following steps:
-
Stop Zeek if it is running by using the following command.
zeekctl stop
-
Edit
/opt/zeek/share/zeek/site/local.zeek
by adding the following line.@load policy/tuning/json-logs.zeek
-
Restart Zeek and confirm logs are stored in JSON format by running the follow commands.
zeekctl deploy
cd /opt/zeek/logs/current
less conn.logs
FortiSIEM Expected Format
Rsyslog or Syslog NG configuration is required to pickup the desired logs using FortiSIEM's expected format.
Example Format of Log: <190>Jun 16 17:55:50 host1 zeek_conn: {}
The log type is appended to zeek_<log file name>
. See here for more information.
Rsyslog or Syslog-ng must be configured to pick up the defined log files and put them in the correct expected header format.
<190>Jun 16 17:55:50 host1 zeek_<log_file_name> <log body>
Example:
<190>Jun 16 17:55:50 co-nuc zeek_conn: {"ts":1623862540.702791,"uid":"CBeSUC20TqYMeNKaL4","id.orig_h":"192.168.77.115","id.orig_p":58734,"id.resp_h":"1.1.1.1","id.resp_p":443,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0}
This format is achieved in rsyslog if you specify an input file tag when opening the log file as shown here.
$InputFileTag zeek_conn:
Choose the configuration that matches your environment.
Zeek Deployment through Security Onion Rsyslog Configuration
If your Zeek deployment is through Security Onion, and you are using the Centos 7 + docker ISO download, you can use rsyslog to collect the log files. The path to your logs should be here: /nsm/zeek/logs/current
. The default format is already JSON.
Under this folder, you have several defaults, listed here:
broker.log capture_loss.log cluster.log conn.log loaded_scripts.log notice.log packet_filter.log reporter.log stats.log stderr.log stdout.log weird.log
Take the following steps:
-
Open the Rsyslog file using the following command.
vi /etc/rsyslog.conf
-
Under the Modules section, add the following line.
$ModLoad imfile
-
In between the Global Directives and Rules sections, add the following:
$InputFileName /nsm/zeek/logs/current/notice.log $InputFileTag zeek_notice: $InputFileStateFile stat-zeek_notice $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/cluster.log $InputFileTag zeek_cluster: $InputFileStateFile stat-zeek_cluster $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/loaded_scripts.log $InputFileTag zeek_loaded_scripts: $InputFileStateFile stat-zeek_loaded_scripts $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/conn.log $InputFileTag zeek_conn: $InputFileStateFile stat-zeek_conn $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/dns.log $InputFileTag zeek_dns: $InputFileStateFile stat-zeek_dns $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/http.log $InputFileTag zeek_http: $InputFileStateFile stat-zeek_http $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/smtp.log $InputFileTag zeek_smtp: $InputFileStateFile stat-zeek_smtp $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/ssh.log $InputFileTag zeek_ssh: $InputFileStateFile stat-zeek_ssh $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/dhcp.log $InputFileTag zeek_dhcp: $InputFileStateFile stat-zeek_dhcp $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/ntp.log $InputFileTag zeek_ntp: $InputFileStateFile stat-zeek_ntp $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/dce_rpc.log $InputFileTag zeek_dce_rpc: $InputFileStateFile stat-dce_rpc $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/kerberos.log $InputFileTag zeek_kerberos: $InputFileStateFile stat-kerberos $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/ntlm.log $InputFileTag zeek_ntlm: $InputFileStateFile stat-ntlm $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/ssl.log $InputFileTag zeek_ssl: $InputFileStateFile stat-zeek_ssl $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/files.log $InputFileTag zeek_files: $InputFileStateFile stat-zeek_files $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/ftp.log $InputFileTag zeek_ftp: $InputFileStateFile stat-zeek_ftp $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/x509.log $InputFileTag zeek_x509: $InputFileStateFile stat-zeek_x509 $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/smtp.log $InputFileTag zeek_smtp: $InputFileStateFile stat-zeek_smtp $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/ssh.log $InputFileTag zeek_ssh: $InputFileStateFile stat-zeek_ssh $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/pe.log $InputFileTag zeek_pe: $InputFileStateFile stat-zeek_pe $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/ftp.log $InputFileTag zeek_ftp: $InputFileStateFile stat-zeek_ftp $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/rdp.log $InputFileTag zeek_rdp: $InputFileStateFile stat-zeek_rdp $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/traceroute.log $InputFileTag zeek_irc: $InputFileStateFile stat-zeek_traceroute $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/dpd.log $InputFileTag zeek_dpd: $InputFileStateFile stat-zeek_dpd $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/software.log $InputFileTag zeek_software: $InputFileStateFile stat-zeek_software $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/weird.log $InputFileTag zeek_weird: $InputFileStateFile stat-zeek_weird $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/known_services.log $InputFileTag zeek_known_services: $InputFileStateFile stat-zeek_known_services $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/known_hosts.log $InputFileTag zeek_known_hosts: $InputFileStateFile stat-zeek_known_hosts $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/known_certs.log $InputFileTag zeek_known_certs: $InputFileStateFile stat-zeek_known_certs $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /nsm/zeek/logs/current/capture_loss.log $InputFileTag zeek_capture_loss: $InputFileStateFile stat-zeek_capture_loss $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor
-
at the bottom of the Rules section, add the following check for new lines every second.
$InputFilePollingInterval 1
local7.info @<ip or FQDN of the FortiSIEM collector>
-
Save the file.
-
Restart Rsyslog by running the following command.
systemctl restart rsyslog
As events occur for Zeek, these logs will be sent to the location specified under @<ip or FQDN of the FortiSIEM collector>.
Standalone Zeek Deployment Rsyslog Configuration
For standalone Zeek deployment, log file location is most typically here:
/opt/zeek/logs/current
If your log file path is neither of these, replace the following commands with your correct path.
Take the following steps:
-
Open the Rsyslog file using the following command.
vi /etc/rsyslog.conf
-
Under the Modules section, add the following line.
$ModLoad imfile
-
In between the Global Directives and Rules sections, add the following:
$InputFileName /opt/zeek/logs/current/notice.log $InputFileTag zeek_notice: $InputFileStateFile stat-zeek_notice $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/conn.log $InputFileTag zeek_conn: $InputFileStateFile stat-zeek_conn $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/dns.log $InputFileTag zeek_dns: $InputFileStateFile stat-zeek_dns $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/http.log $InputFileTag zeek_http: $InputFileStateFile stat-zeek_http $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/smtp.log $InputFileTag zeek_smtp: $InputFileStateFile stat-zeek_smtp $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/ssh.log $InputFileTag zeek_ssh: $InputFileStateFile stat-zeek_ssh $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/dhcp.log $InputFileTag zeek_dhcp: $InputFileStateFile stat-zeek_dhcp $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/ntp.log $InputFileTag zeek_ntp: $InputFileStateFile stat-zeek_ntp $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/dce_rpc.log $InputFileTag zeek_dce_rpc: $InputFileStateFile stat-dce_rpc $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/kerberos.log $InputFileTag zeek_kerberos: $InputFileStateFile stat-kerberos $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/ntlm.log $InputFileTag zeek_ntlm: $InputFileStateFile stat-ntlm $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/ssl.log $InputFileTag zeek_ssl: $InputFileStateFile stat-zeek_ssl $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/files.log $InputFileTag zeek_files: $InputFileStateFile stat-zeek_files $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/ftp.log $InputFileTag zeek_ftp: $InputFileStateFile stat-zeek_ftp $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/x509.log $InputFileTag zeek_x509: $InputFileStateFile stat-zeek_x509 $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/smtp.log $InputFileTag zeek_smtp: $InputFileStateFile stat-zeek_smtp $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/ssh.log $InputFileTag zeek_ssh: $InputFileStateFile stat-zeek_ssh $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/pe.log $InputFileTag zeek_pe: $InputFileStateFile stat-zeek_pe $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/ftp.log $InputFileTag zeek_ftp: $InputFileStateFile stat-zeek_ftp $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/rdp.log $InputFileTag zeek_rdp: $InputFileStateFile stat-zeek_rdp $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/traceroute.log $InputFileTag zeek_irc: $InputFileStateFile stat-zeek_traceroute $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/dpd.log $InputFileTag zeek_dpd: $InputFileStateFile stat-zeek_dpd $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/software.log $InputFileTag zeek_software: $InputFileStateFile stat-zeek_software $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/weird.log $InputFileTag zeek_weird: $InputFileStateFile stat-zeek_weird $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/known_services.log $InputFileTag zeek_known_services: $InputFileStateFile stat-zeek_known_services $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/known_hosts.log $InputFileTag zeek_known_hosts: $InputFileStateFile stat-zeek_known_hosts $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/known_certs.log $InputFileTag zeek_known_certs: $InputFileStateFile stat-zeek_known_certs $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFileName /opt/zeek/logs/current/capture_loss.log $InputFileTag zeek_capture_loss: $InputFileStateFile stat-zeek_capture_loss $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor
-
At the bottom of the Rules section, add the following check for new lines every second.
$InputFilePollingInterval 1 local7.info @<ip or FQDN of FortiSIEM collector>
-
Save the file.
-
Restart Rsyslog by running the following command.
systemctl restart rsyslog
As events occur for Zeek, these logs will be sent to the location specified under @<ip or FQDN of FortiSIEM collector>.