Kaspersky Next XDR Expert
1.1.9

Contents

Configuring receipt of Zeek IDS events

You can configure the receipt of Zeek IDS 1.8 events in KUMA.

Configuring event receiving consists of the following steps:

  1. Conversion of the Zeek IDS event log format.

    The KUMA normalizer supports Zeek IDS logs in the JSON format. To send events to the KUMA normalizer, log files must be converted to the JSON format.

  2. Creating a KUMA collector for receiving Zeek IDS events.

    To receive Zeek IDS events, in the Collector Installation Wizard, at the Event parsing step, select the [OOTB] ZEEK IDS json file normalizer, and at the Transport step, select the file connector type.

  3. Installing KUMA collector for receiving Zeek IDS events
  4. Verifying receipt of Zeek IDS events in the KUMA collector

    You can verify that the Zeek IDS event source server is correctly configured in the Searching for related events section of the KUMA Console.

Page top
[Topic 265597]

Conversion of the Zeek IDS event log format

By default, Zeek IDS events are logged in files in the /opt/zeek/logs/current directory.

The "[OOTB] ZEEK IDS json file" normalizer supports Zeek IDS logs in the JSON format. To send events to the KUMA normalizer, log files must be converted to the JSON format.

This procedure must be repeated every time before receiving Zeek IDS events.

To convert the Zeek IDS event log format:

  1. Connect to the server where Zeek IDS is installed with a user account with administrative privileges.
  2. Create the directory where JSON event logs must be stored:

    sudo mkdir /opt/zeek/logs/zeek-json

  3. Change to this directory:

    sudo cd /opt/zeek/logs/zeek-json

  4. Run the command that uses the jq utility to convert the original event log format to the target format:

    jq . -c <path to the log file to be converted to a different format> >> <new file name>.log

    Example:

    jq . -c /opt/zeek/logs/current/conn.log >> conn.log

As a result of running the command, a new file is created in the /opt/zeek/logs/zeek-json directory if this file did not exist before. If the file was already present in the current directory, new information is appended to the end of the file.

Page top
[Topic 265598]