Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional zeek module log files #3288

Closed
3 of 28 tasks
111andre111 opened this issue May 30, 2020 · 10 comments
Closed
3 of 28 tasks

Additional zeek module log files #3288

111andre111 opened this issue May 30, 2020 · 10 comments
Labels
enhancement New feature or request Integration:zeek Zeek Stalled

Comments

@111andre111
Copy link

111andre111 commented May 30, 2020
edited by jamiehynds
Loading

Describe the enhancement:
I checked again the existing log types that exist in filebeat because of a test I made with zeek 3.0.
https://docs.zeek.org/en/current/script-reference/log-files.html
These issues
elastic/beats#12724
elastic/beats#12812
elastic/beats#14150
elastic/beats#14404

I did now produce a list of all logs to identify all missing log types:

  • barnyard2.log
  • broker.log
  • cluster.log
  • config.log
  • known_certs.log
  • known_hosts.log
  • known_modbus.log
  • known_services.log
  • loaded_scripts.log
  • modbus_register_change.log
  • netcontrol_catch_release.log
  • netcontrol_drop.log
  • netcontrol_shunt.log
  • netcontrol.log
  • notice_alarm.log
  • ntp.log - [Filebeat] Add Zeek NTP Fileset beats#24224
  • openflow.log
  • packet_filter.log
  • print.log
  • prof.log
  • reporter.log
  • signatures.log - [Filebeat] Add Zeek Signatures fileset beats#23772
  • software.log
  • stderr.log
  • stdout.log
  • unified2.log
  • weird_stats.log

One special part is extra

zeek-log-types.xlsx

Additionally documentation doesn't have much information about how to configure seek module:
https://www.elastic.co/guide/en/beats/filebeat/7.7/filebeat-module-zeek.html
@111andre111 111andre111 added enhancement New feature or request module labels May 30, 2020
@elasticmachine
Copy link

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team label May 30, 2020
@111andre111 111andre111 mentioned this issue May 30, 2020
Closed
25 tasks
@andrewkroh andrewkroh mentioned this issue Jun 1, 2020
Merged
6 tasks
andrewkroh referenced this issue in andrewkroh/beats Jun 1, 2020
@andrewkroh
Remove references to non-existent Zeek signatures fileset
c809cec 
In elastic#13683, a `signatures` fileset is enabled, but it did not exist. This removes
it from the module.d/zeek.yml config file so that the module can start.

In elastic#12812 there was a signatures fileset but that PR never merged. Perhaps
the fileset from that closed PR can be brought into master.

Relates: #18868
@andrewkroh
Copy link
Member

The signatures.log fileset was never actually merged into Filebeat. I've opened a PR to fix the default config. We'll have to extract the signatures fileset from the closed PR and bring it into master. elastic/beats#18878

andrewkroh referenced this issue in elastic/beats Jun 3, 2020
@andrewkroh
Remove references to non-existent Zeek signatures fileset (#18878)
229aee0 
In #13683, a `signatures` fileset is enabled, but it did not exist. This removes
it from the module.d/zeek.yml config file so that the module can start.

In #12812 there was a signatures fileset but that PR never merged. Perhaps
the fileset from that closed PR can be brought into master.

Relates: #18868
andrewkroh referenced this issue in andrewkroh/beats Jun 8, 2020
@andrewkroh
Remove references to non-existent Zeek signatures fileset (elastic#18878
c65edb9 
)

In elastic#13683, a `signatures` fileset is enabled, but it did not exist. This removes
it from the module.d/zeek.yml config file so that the module can start.

In elastic#12812 there was a signatures fileset but that PR never merged. Perhaps
the fileset from that closed PR can be brought into master.

Relates: #18868
(cherry picked from commit 229aee0)
This was referenced Jun 8, 2020
Merged
Merged
andrewkroh referenced this issue in andrewkroh/beats Jun 8, 2020
@andrewkroh
Remove references to non-existent Zeek signatures fileset (elastic#18878
7871474 
)

In elastic#13683, a `signatures` fileset is enabled, but it did not exist. This removes
it from the module.d/zeek.yml config file so that the module can start.

In elastic#12812 there was a signatures fileset but that PR never merged. Perhaps
the fileset from that closed PR can be brought into master.

Relates: #18868
(cherry picked from commit 229aee0)
andrewkroh referenced this issue in elastic/beats Jun 8, 2020
@andrewkroh
Remove references to non-existent Zeek signatures fileset (#18878) (#…
9ca2fbd 
…19041)

In #13683, a `signatures` fileset is enabled, but it did not exist. This removes
it from the module.d/zeek.yml config file so that the module can start.

In #12812 there was a signatures fileset but that PR never merged. Perhaps
the fileset from that closed PR can be brought into master.

Relates: #18868
(cherry picked from commit 229aee0)
andrewkroh referenced this issue in elastic/beats Jun 8, 2020
@andrewkroh
Remove references to non-existent Zeek signatures fileset (#18878) (#…
718ab29 
…19042)

In #13683, a `signatures` fileset is enabled, but it did not exist. This removes
it from the module.d/zeek.yml config file so that the module can start.

In #12812 there was a signatures fileset but that PR never merged. Perhaps
the fileset from that closed PR can be brought into master.

Relates: #18868
(cherry picked from commit 229aee0)
melchiormoulin referenced this issue in melchiormoulin/beats Oct 14, 2020
@andrewkroh @melchiormoulin
Remove references to non-existent Zeek signatures fileset (elastic#18878
e7e8e88 
)

In elastic#13683, a `signatures` fileset is enabled, but it did not exist. This removes
it from the module.d/zeek.yml config file so that the module can start.

In elastic#12812 there was a signatures fileset but that PR never merged. Perhaps
the fileset from that closed PR can be brought into master.

Relates: #18868
@legoguy1000
Copy link
Contributor

legoguy1000 commented Mar 23, 2021
edited
Loading

signature and ntp have been merged, elastic/beats#23772 and elastic/beats#24224

@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic
Copy link

botelastic bot commented Apr 21, 2022

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Apr 21, 2022
@rwaight
Copy link

rwaight commented May 5, 2022

This issue is relevant and should be worked on. The current version of Zeek (4.2.0) has a list of 65 .log files.

@botelastic botelastic bot removed the Stalled label May 5, 2022
@111andre111
Copy link
Author

Yes @rwaight that would be really neat if we could have some progress here.

@jamiehynds jamiehynds transferred this issue from elastic/beats May 6, 2022
@jamiehynds
Copy link

Moved from Beats to Integration repo as enhancements to our Zeek support will be focused on our agent integration.

@austinarmbruster-elastic
Copy link

👍 Zeek logs are coming up in a new deal with a customer. Still discovering the details on which specific log types must be supported.

@legoguy1000 legoguy1000 mentioned this issue May 11, 2022
Merged
4 tasks
@botelastic
Copy link

botelastic bot commented May 9, 2023

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label May 9, 2023
@botelastic botelastic bot closed this as completed Nov 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request Integration:zeek Zeek Stalled
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@andrewkroh @legoguy1000 @elasticmachine @rwaight @111andre111 @jamiehynds @austinarmbruster-elastic