Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Set logging format #17

Open
cplmayo opened this issue Feb 10, 2021 · 1 comment
Open

Enhancement: Set logging format #17

cplmayo opened this issue Feb 10, 2021 · 1 comment
Labels
enhancement

Comments

@cplmayo
Copy link

cplmayo commented Feb 10, 2021

By default Zeek stores logs in a plain text that if exported to a SIEM or log aggregator require additional parsing and sorting.

Zeek does have the ability to format logs as structured JSON making importing much easier.

Zeek Logging Framework
Zeek to Splunk Example
@shadyabhi
Copy link

shadyabhi commented Jan 13, 2023
edited
Loading

For anyone who comes here via Google search, if doing to manually, it is as simple as adding the following line:-

# Output to JSON
@load policy/tuning/json-logs.zeek

at location: /usr/local/share/zeek/policy/tuning/defaults/__load__.zeek.

Side note, I tried editing the location /opt/zeek/share/zeek/site/local.zeek directly, but, for whatever reason, JSON logging wasn't getting enabled

Considering how easy it is to enable JSON logging, it should be easy to do via GUI as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shadyabhi @cplmayo @shadonet