BRO/Zeek IDS Logs

dscryber · March 7, 2022, 8:34pm

BRO/Zeek IDS Logs

Download from Github
View on Github
Open Issues
Stargazers

Zeek IDS content pack contains pipeline rules, a stream, a dashboard displaying interesting activity, and a syslog tcp input to capture and index logs coming from a Zeek sensor.

If you are using Security Onion or an older versin of Zeek, the log files might be different and not contain the same exact fields.

See the full Description of Zeek IDS Default Log files
https://www.zeek.org/sphinx/script-reference/log-files.html

Working with Zeek logs 
https://www.zeek.org/sphinx/logs/index.html#working-with-log-files

Requirements

Graylog v3.x.x or later for new content pack handling features
Rsyslog 8.x to use the replace() function if using rsyslog to ship logs
Zeek 2.6.x to use the pipeline files out of the box

editing pipeline configs will be required if using older versions of BRO/ZEEK

Security Onion:
If running with SO, verify pipeline field values prior to sending data

Topic		Replies	Views
Pipeline rule for Threat Intelligence not matching Graylog Central (peer support) pipeline-rules , debuggingpl	7	1261	January 4, 2020
Yet another Cisco ASA content pack Graylog Central (peer support) pipeline-rules	1	1167	July 16, 2020
Pipeline rule to grok notice.log from BRO-IDS Graylog Central (peer support) pipeline-rules , debuggingpl	3	648	April 22, 2019
Vulnerability Scan Detection Graylog Central (peer support) pipeline-rules	10	661	July 14, 2022
Help with pipeline processing - Juniper Netscreen Graylog Central (peer support) pipeline-rules	1	385	September 27, 2019

BRO/Zeek IDS Logs

BRO/Zeek IDS Logs

Requirements

Related Topics