Forward remote Zeek logs to Malcolm for analysis in Dashboards and Arkime

[StammesOpfer]

I need to ingest connection data for a number of clients where I can't otherwise collect it off the wire with Malcolm/Hedgehog. I would like to run Zeek on those clients and send it to Malcolm, this is documented for use in the normal dashboards, however I would like it more tightly integrated with the existing dashboards and most importantly Arkime. I have been trying to trace my way through the hedgehog source/config files to figure out what is different/needed for it to be ingested properly to display like all the other Zeek logs. Does anyone have any pointers or additional info to help make this work? Otherwise I'll keep digging.

[mmguero]

Here are some suggestions I'd make:

• Enable JSON logging for your zeek logs, as Hedgehog adds some extra fields based on some plugins we've got installed that you won't have with a vanilla zeek instance
  • Using the JSON log format will allow Malcolm to know which fields are which even though not all of the fields might match.
• The forwarding bit is really pretty easy. Here's how we do it with filebeat:
  • the inputs section and the outputs section could be used as a starting point for your config
  • You'll need to have the TLS-related files (certificate authority, certificate, and key files are located in the filebeat/certs/ directory on Malcolm) generated during auth_setup available on the forwarder and filebeat configured to use them in its outputs section
  • If you're not able to use filebeat to do the forwarding, I could walk you through how to do it with fluent-bit, although fluent-bit doesn't have a Logstash output so it'd be a little bit different than what we have here.

Let us know how it goes.

[StammesOpfer]

Thank you. I was staring at the filebeat.yml in the source just now and it looked promising. That is perfect for confirming I was going down the right road. Thank you. Filebeat is fine. Pretty sure I've got everything else good.

[GeoCoastie]

Working on a similar project, tested with the steps above.

My external client, running Zeek and Filebeat, certs correct. And added the

filebeat-logs.yml

under

 /etc/filebeat/modules.d/

My filebeat.yml points to the modules.d directory.

Going back to Malcolm, I see the logs generated within Dashboards-> Discover

However still none of the Zeek sessions are displaying within Arkime, (on this test env, my only node for LAN traffic is identified as node:Hedgehog1) If i omit Hedgehog1 node, results are blank.

[GeoCoastie]

Absolutely.

[GeoCoastie]

@mmguero Had issues with trying to replicate hedgehogs file, as the hedgehogs seem to run to Elasticsearch, and when that effort did not pan out, i attempted Logstash and was able to see data at least flowing somewhere.

[GeoCoastie]

[mmguero]

Okay, I see. Let's remove the _malcolm_beats tag you're adding, since that's what's routing it to the wrong pipeline (that tag and the associated pipeline is used for statistics, resource metrics, etc.). Instead, have it add the tag _filebeat_zeek_live which should get it into the Zeek pipeline. On hedgehog we add a slightly different tag but for just generic Zeek logs being generated on live network traffic _filebeat_zeek_live should do the trick, I think.

[GeoCoastie]

@mmguero That did it! Thank you sir!