I’d like to ingest Zeek logs from my PFSense. I found this content pack (BRO/Zeek IDS Logs) however it is expecting logs to be sent via RSyslog. the problem is, PFsense Zeek doesn’t have RSyslog by default.
Is there a way for Graylog to ingest the Zeek JSON files directly? If not, has anyone configure RSyslog on PFSense to send logs to Graylog?
Hey @icon1307
I think so, after reading these links.
https://docs.zeek.org/en/master/script-reference/log-files.html
And from here
https://docs.netgate.com/pfsense/en/latest/monitoring/logs/index.html#log-format
That is, if you can ship those logs to Graylog.
I’ve shipped the logs to my Graylog server, but I don’t see an Input for Zeek.
Hey @icon1307
You probably wont, Try using Raw/Plain text or something similar
Hey
I did a quick search found this
Looks like they are using Syslog_UDP
i think PFsense syslog logs are different from Zeek. Zeek runs as a separate package within PFsense. My pfsense logs are getting ingested into Graylog via syslog, but Zeek logs are not in there.
Plain/Raw still only had network transfer options (binds to a port, etc). i just want to ingest json files.
Hey @icon1307
Just an FYI i never worked with Zeek until you mentioned it. You could try JSON path value from HTTP API input or perhaps Beats input might work.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
