Zeek

LogZilla App Store application: Zeek

Overview

Zeek (formerly Bro) is an open-source network security monitor that provides deep packet inspection and protocol analysis. Zeek generates structured logs for connections, DNS queries, HTTP requests, SSL/TLS handshakes, and security events, making it valuable for threat hunting and incident response.

App Function

  • Parse Zeek JSON-format logs from the HTTP Event Receiver
  • Extract network metadata (IPs, ports, domains, protocols)
  • Categorize events by type (network, auth, security, system)
  • Provide security-focused dashboard for threat hunting
  • Alert on security notices, threat intel matches, and authentication failures

Vendor Documentation

Device Configuration

Configure Zeek to output JSON-format logs:

  1. Edit /opt/zeek/share/zeek/site/local.zeek and add:

    text
    @load policy/tuning/json-logs.zeek

  2. Deploy the configuration:

    bash
    zeekctl deploy

  3. Verify JSON format is enabled:

    bash
    tail -1 /opt/zeek/logs/current/conn.log

Verification

Confirm output is JSON format with fields like id.orig_h, id.resp_h, etc.

Log Ingestion

Zeek logs must be forwarded to LogZilla via the HTTP Event Receiver. See the HTTP Event Receiver documentation for setup instructions.

When forwarding Zeek logs, include these required extra fields:

FieldValuePurpose
_source_typezeekIdentifies logs for the Zeek app
_sourceLog filename (e.g., conn.log)Sets the Zeek Area tag

Configure syslog-ng to tail Zeek log files and forward to LogZilla. See the Syslog Relays documentation for detailed configuration examples.

Example syslog-ng source for Zeek logs:

text
source s_zeek_conn {
    file("/opt/zeek/logs/current/conn.log" flags(no-parse));
};

Example destination with required extra fields:

text
destination d_logzilla_zeek {
    http(
        url("https://<LOGZILLA_HOST>/incoming")
        method("POST")
        user-agent("syslog-ng Zeek Relay")
        headers(
            "Content-Type: application/json",
            "Authorization: token <YOUR_TOKEN>"
        )
        body-prefix("{\"events\": [\n")
        delimiter(",\n")
        body('$(format-json
            --pair message="$MESSAGE"
            --pair extra_fields.\_source_type="zeek"
            --pair extra_fields.\_source="conn.log"
        )')
        body-suffix("\n]}")
        batch-lines(1000)
        batch-bytes(1048576)
        batch-timeout(500)  # milliseconds - flush after 500ms even if batch not full
    );
};

log {
    source(s_zeek_conn);
    destination(d_logzilla_zeek);
    flags(flow-control);
};

Notes:

  • The batch-timeout(500) setting ensures events are sent within 500ms even if the batch is not full. For low-volume environments, reduce batch-lines and batch-bytes or decrease batch-timeout to see events sooner.
  • The _source field determines the Zeek Area tag and Event Class. Create separate source/destination pairs for each Zeek log type (conn.log, dns.log, http.log, etc.) or use syslog-ng's wildcard-file() source with the filename in the body.

Incoming Log Format

Zeek logs are single-line JSON objects. Example (conn.log):

json
{"ts":1641949013.67,"id.orig_h":"192.168.10.107","id.resp_h":"192.168.10.255",
"id.resp_p":53,"proto":"udp","service":"dns"}

Parsed Metadata Fields

Tag NameExampleDescription
VendorZeekVendor identifier
ProductNSMProduct identifier (Network Security Monitor)
Event ClasssecurityEvent classification (network, auth, security, system)
Zeek AreaconnLog type (conn, dns, http, ssl, ssh, notice, etc.)
SrcIP192.168.1.100Source IP address
DstIP10.1.1.50Destination IP address
DstPorthttpsDestination port (translated to service name)
Domainexample.comDomain name from DNS or DHCP
Zeek RCodeNXDOMAINDNS response code
Zeek StatusOKHTTP/SIP status message
Zeek OperationNetrLogonSamLogonDCE/RPC operation name
Zeek Auth SuccessfalseSSH authentication result
Zeek SSL Validationself signed certificateSSL certificate validation status
Zeek NoticeScan::Port_ScanZeek notice type from notice.log
MitreIdT1046MITRE ATT&CK technique ID
MITRE TacticDiscoveryMITRE ATT&CK tactic name

MITRE ATT&CK Mappings

Zeek notice types are mapped to MITRE ATT&CK techniques:

Notice TypeTechniqueTactic
Scan::Port_ScanT1046Discovery
Scan::Address_ScanT1046Discovery
SSH::Password_GuessingT1110Credential Access
FTP::BruteforcingT1110Credential Access
SSL::Invalid_Server_CertT1557Credential Access
HTTP::SQL_Injection_AttackerT1190Initial Access
TeamCyru::Malware_Hash_RegistryT1204Execution
DNS::TunnelingT1071Command and Control
Conn::Large_Outbound_TransferT1048Exfiltration

Log Examples

Connection Log

text
{"ts":1591367999.305988,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76",
"id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp",
"service":"dns","conn_state":"SF"}

DNS Query

text
{"ts":1591368000.123,"uid":"CX1l7X34hCbGkWGlB6","id.orig_h":"192.168.4.76",
"id.resp_h":"192.168.4.1","query":"example.com","rcode_name":"NOERROR"}

SSH Authentication Failure

text
{"ts":1591368100.456,"uid":"CzEmsljW9ooL0WnBd","id.orig_h":"10.0.0.50",
"id.resp_h":"192.168.4.37","id.resp_p":22,"auth_success":false,
"auth_attempts":3,"client":"SSH-2.0-OpenSSH_7.9p1"}

Security Notice

text
{"ts":1591368200.789,"note":"Scan::Port_Scan","msg":"192.168.1.100 scanned at
least 15 unique ports of host 10.0.0.1","src":"192.168.1.100"}

Dashboards

DashboardDescription
Zeek: SecuritySecurity KPIs, MITRE analysis, notices, auth failures
Zeek: NetworkTraffic analysis, DNS, connections, services

Triggers

TriggerDescription
Zeek: MITRE ATT&CK Threat DetectedEvents with MITRE technique mapping
Zeek: Security Notice DetectedZeek built-in detection alerts
Zeek: Threat Intel MatchThreat intelligence indicator matches
Zeek: Signature MatchIDS-style signature detections
Zeek: Protocol Anomaly DetectedUnusual network behavior (weird logs)
Zeek: SSH Authentication FailureFailed SSH authentication attempts
Zeek: SSL Certificate ProblemCertificate validation failures (no notify)
Zeek: DNS NXDOMAIN ResponseFailed DNS lookups (no notify)
Zeek | LogZilla Documentation