Zeekurity Zen – Part III: How to Send Zeek (Bro) Logs to Splunk

Zeekurity Zen – Part III: How to Send Zeek (Bro) Logs to Splunk

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor.

Overview

In our Zeek journey thus far, we’ve:

  • Set up Zeek to monitor some network traffic.
  • Used Zeek Package Manager to install AF_PACKET and other useful packages.

Now we’ll send our Zeek logs to Splunk, a popular log analysis platform.  This will enable us to quickly search through Zeek’s large dataset and build interesting queries and dashboards.

To do this, we’ll walkthrough these steps:

  1. Configure Zeek to output logs in JSON format for consumption by Splunk.
  2. Create an index in Splunk for Zeek data.
  3. Installing and configuring the Corelight For Splunk app to index and parse Zeek logs in Splunk.
  4. Create a splunk user to run the Splunk Universal Forwarder.
  5. Installing and configuring a Splunk Universal Forwarder to send Zeek logs to a Splunk instance.

Output Zeek logs to JSON

  1. Stop Zeek if it is currently running.
    zeekctl stop
  2. Edit /opt/zeek/share/zeek/site/local.zeek and add the following.
    # Output to JSON
    @load policy/tuning/json-logs.zeek
  3. Restart Zeek and view the logs in /opt/zeek/logs/current to confirm they are now in JSON format.
    zeekctl deploy
    cd /opt/zeek/logs/current
    less conn.log

Create an index in Splunk for Zeek data

It’s best practice to create separate indexes for different types of Splunk data.

  1. Login to your Splunk instance.
  2. In the top right menu navigate to Settings -> Data -> Indexes.
  3. In the Indexes page, click on New Index.
  4. Type “zeek” for Index Name and click Save to create your new index.

Install and configure the Corelight For Splunk app

The Corelight For Splunk app is created by the Zeek team directly for use with Corelight (enterprise Zeek) and open-source Zeek sensors.  We’ll use this app to help parse, index, and visualize Zeek logs.

Note that Splunk has also published their own Splunk Add-on for Zeek aka Bro app which helps to ingest Zeek logs but does not feature any sort of dashboards or reports.

  1. Download and install the Corelight for Splunk app onto your Splunk server.  This can either be done within the Splunk server itself or by manually downloading and installing as you would all other Splunk apps.
  2. You can navigate to the app to verify that it is installed correctly.  However, since we have not yet configured our sensor to send data, the dashboards will be blank.
  3. In the top right menu navigate to Settings -> Knowledge -> Event types.
  4. In the App dropdown menu, select Corelight For Splunk and click on corelight_idx.
  5. In the Search string field type index=zeek.  This tells the Corelight for Splunk app to search for data in the “zeek” index we created earlier.

Create a splunk user to run the Splunk Universal Forwarder

Back in the Zeek sensor, create a splunk user and add it to the zeek group.

sudo useradd splunk -g zeek

Install and configure a Splunk Universal Forwarder

  1. Login to your Splunk account and download the latest Splunk Universal Forwarder.  Once logged in, click “Download Now” for the Linux 64-bit .rpm installer.  Note that Splunk also generates a convenient wget command you can use from the sensor itself once you accept the license agreement. As of this writing, the latest release is version 7.2.3.  If the download URL referenced in the wget command below no longer works, download directly as noted above.
    wget -O splunkforwarder-7.2.3-06d57c595b80-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.3&product=universalforwarder&filename=splunkforwarder-7.2.3-06d57c595b80-linux-2.6-x86_64.rpm&wget=true'
  2. Install the forwarder to /opt/splunkforwarder using the rpm command.
    sudo rpm -i splunkforwarder-<…>-linux-2.6-x86_64.rpm
  3. Start the forwarder to accept the license agreement and create an administrative password.
    cd /opt/splunkforwarder/bin
    ./splunk start --accept-license
  4. Stop the forwarder.
    ./splunk stop
  5. Remove the default data processing limit.  Edit /opt/splunkforwarder/etc/system/local/limits.conf and add the following lines.Note that given the volume of data that Zeek generates, the forwarder may never process all log data if the default limit is not removed.
    [thruput]
    maxKBps = 0 # means unlimited
    
  6. Edit /opt/splunkforwarder/etc/system/local/inputs.conf to monitor desired Zeek logs.  An example inputs.conf is below but may or may not include the logs you wish to ingest. Note that the index and sourcetype fields are leveraging the “zeek” naming scheme to match the “zeek” index we created in Splunk.
    [default]
    host = sensor
    
    [monitor:///opt/zeek/logs/current/conn.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_conn
    
    [monitor:///opt/zeek/logs/current/dns.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_dns
    
    [monitor:///opt/zeek/logs/current/software.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_software
    
    [monitor:///opt/zeek/logs/current/smtp.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_smtp
    
    [monitor:///opt/zeek/logs/current/ssl.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_ssl
    
    [monitor:///opt/zeek/logs/current/ssh.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_ssh
    
    [monitor:///opt/zeek/logs/current/x509.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_x509
    
    [monitor:///opt/zeek/logs/current/ftp.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_ftp
    
    [monitor:///opt/zeek/logs/current/http.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_http
    
    [monitor:///opt/zeek/logs/current/rdp.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_rdp
    
    [monitor:///opt/zeek/logs/current/smb_files.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_smb_files
    
    [monitor:///opt/zeek/logs/current/smb_mapping.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_smb_mapping
    
    [monitor:///opt/zeek/logs/current/snmp.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_snmp
    
    [monitor:///opt/zeek/logs/current/sip.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_sip
    
    [monitor:///opt/zeek/logs/current/files.log]
    _TCP_ROUTING = *
    index = zeek
    sourcetype = corelight_files
    
  7. Edit /opt/splunkforwarder/etc/system/local/outputs.conf to send data to your Splunk server.  In the sample file below, replace each instance of splunkserver:9997 with your own server name/IP and port number.
    [tcpout]
    defaultGroup = default-autolb-group
    
    [tcpout:default-autolb-group]
    server = splunkserver:9997
    
    [tcpout-server://splunkserver:9997]
    
  8. Make the splunk user and zeek group the owner of the entire /opt/splunkforwarder directory.
    sudo chown -R splunk:zeek /opt/splunkforwarder/
  9. Start the forwarder as the splunk user and confirm it successfully ran.  You can check /opt/splunkforwarder/var/log/splunk/splunkd.log for any issues.
    su splunk
    cd /opt/splunkforwarder/bin
    ./splunk start

Up Next

In Part IV of this series, we will dig into Zeek data with sample Splunk queries.


Stuff I Like

Web Hosting: SiteGround

ericooi.com is proudly hosted by SiteGround. Performance and customer service are top notch. Quick and easy https implementation via built-in Let's Encrypt integration.

VPN: Private Internet Access

When I'm using a public internet access point, I use Private Internet Access to secure my connections. Easy to use, fast speeds, and no logs.

Cell Phone: Ting

I don't use many minutes or much data since I'm usually on Wi-Fi, making Ting a smart choice. It features nationwide coverage, fast LTE, and pay as you go rates.


2 thoughts on “Zeekurity Zen – Part III: How to Send Zeek (Bro) Logs to Splunk”

  • Eric,
    I’ve been following your posts, and they are amazing, thanks for sharing your thoughts.
    I have a small issue seeing events in the zeek app, I do see splunk events using the index=zeek. I’m testing this in my home lab, so not I’m not sure if is related to the Splunk free version.
    Any feedback is appreciated.

    • Hi Rain1,

      I appreciate your kind words and am happy to hear the positive feedback on my posts. It means a lot. 🙂

      It shouldn’t matter that you’re using the free Splunk, I’m doing the same as well. A couple things to check — the Corelight app expects to see logs in the “zeek” index, so be sure you completed Step 5 under “INSTALL AND CONFIGURE THE CORELIGHT FOR SPLUNK APP.” The app also expects all sourcetypes to be prefixed with “corelight_” so be sure those are set properly as well.

      Note that the Corelight app isn’t required for you to get full use from your zeek logs in Splunk. I view the app as more of an introduction to what’s possible, especially if you’re a brand new zeek / splunk user. I am working on Part IV of this series (really, I promise!) which will cover interesting queries you can use in your own environment.

      Hope that helps!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.