The second stanza monitors an arbitrary zeek folder I created under my user account. In the example inputs configuration below, the first monitor stanza tells the UF to ship logs it finds under my system’s zeek log directory. The TA will help normalize your Zeek data to match the Splunk Common Information Model (CIM).Ĭreate or edit the Zeek TA on the Splunk UF system so that the nf points to the location of your Zeek log directory.
For example, I have the TA installed on the UF, Search Head, and Search Peer in my lab setup. If you are not sure, Splunk details some best practices here. Make sure you have the Technical Add-on (TA) for Zeek built by Corelight installed on the respective tier(s) of your Splunk architecture. The examples will use a sample PCAP from Malware Traffic Analysis containing Log4j attacks against a web server and other scanning traffic. We will cover some configuration details, but this article is not necessarily geared towards someone with no knowledge of these tools: – Zeek I will assume you have the following software installed and configured for your environment. Bonus: Using Security Onion for PCAP Ingest Getting Started.
0 kommentar(er)
