Zeek is a platform for network security monitoring. It interprets what it sees and creates compact, high-fidelity transaction logs, and file content. It can create fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system.
This integration ingests the following logs:
- Connection logs
- DNS and DHCP logs
- Network Protocols
- Files
- Detections
- Miscellaneous event types
Visualize detailed insights into network connections, DNS and DHCP activity, detailed network protocol analysis, file analysis and certificates, security detection and observation, compliance monitoring through the out-of-the-box dashboards.
To install the Zeek integration, run the following Agent installation command and the steps below. For more information, see the Integration Management documentation.
Note: This step is not necessary for Agent version >= 7.52.0.
Linux command
sudo -u dd-agent -- datadog-agent integration install datadog-zeek==1.0.0- Install the Agent on your Zeek machine.
- Install Corelight Zeek plugin for JSON logging.
/opt/zeek/bin/zkg install corelight/json-streaming-logs - Load ZKG packages.
echo -e "\n# Load ZKG packages\n@load packages" >> /opt/zeek/share/zeek/site/local.zeek - Restart Zeek.
/opt/zeek/bin/zeekctl install/opt/zeek/bin/zeekctl restart
- Have the Datadog Agent installed and running.
-
Collecting logs is disabled by default in the Datadog Agent. Enable it in
datadog.yaml:logs_enabled: true
-
Add this configuration block to your
zeek.d/conf.yamlfile to start collecting your Zeek logs.See the sample zeek.d/conf.yaml for available configuration options.
logs: - type: file path: /opt/zeek/logs/current/*.log exclude_paths: - /opt/zeek/logs/current/*.*.log service: zeek source: zeek
Note: Include the log file's paths within the
exclude_pathsparameter to prevent the ingestion of unsupported or undesired log files during the monitoring process.# Example of excluded paths exclude_paths: - /opt/zeek/logs/current/ntlm.log - /opt/zeek/logs/current/radius.log - /opt/zeek/logs/current/rfb.log
-
Collecting logs is disabled by default in the Datadog Agent. Enable it in datadog.yaml:
logs_enabled: true
-
Add this configuration block to your
zeek.d/conf.yamlfile to start collecting your logs.logs: - type: tcp port: <PORT> service: corelight source: zeek
-
Configuring Syslog Message Forwarding from corelight
- Open a web browser and navigate to the IP address or hostname of your Corelight sensor.
- Log in with your administrative credentials.
- Navigate to the Zeek Configuration Page. The exact path may vary depending on your sensor's firmware version.
- Look for options related to "Zeek" or "Logging". Common paths includes:
- Settings > Logging
- Configuration > Zeek > Logging
- Locate the option to enable syslog output for Zeek logs and select the checkbox or toggle to activate.
- Specify Syslog Server Details. Provide the following information:
- Syslog server IP address: The destination where you want to send the Zeek logs.
- Syslog port: The port on which the syslog server is listening (typically 514).
- Facility: The syslog facility to use.
- Severity level: The minimum severity of events to send.
- Click the Save or Apply button to commit the configuration changes.
Run the Agent's status subcommand and look for zeek under the Checks section.
The Zeek integration collects following log-types.
| Format | Event Types |
|---|---|
| Opensource Zeek - JSON Format | conn, dhcp, dns, ftp, http, ntp, rdp, smtp, snmp, socks, ssh, ssl, syslog, tunnel, files, pe, intel, notice, signatures, traceroute, known-certs, known-modbus, known-services, known-hosts, software, x509, dpd, weird, captureloss, reporter, ldap, ldap-search, smb-files, smb-mappings |
| Corelight Zeek - Syslog RFC 3164 (Legacy) Format | conn, dhcp, dns, ftp, http, ntp, rdp, smtp, snmp, socks, ssh, ssl, syslog, tunnel, files, pe, intel, notice, signatures, traceroute, known-certs, known-modbus, known-services, known-hosts, software, x509, dpd, weird, captureloss, reporter, ldap, ldap-search, smb-files, smb-mappings, conn-long, conn-red, encrypted-dns, generic-dns-tunnels, smtp-links, suricata-corelight |
The Zeek integration does not include any metrics.
The Zeek integration does not include any events.
The Zeek integration does not include any service checks.
If you see a Permission denied error while monitoring the log files, give the dd-agent user read permission on them.
sudo chown -R dd-agent:dd-agent /opt/zeek/current/Permission denied while port binding:
If you see a Permission denied error while port binding in the Agent logs, see the following instructions:
-
Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the
setcapcommand:sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent
-
Verify the setup is correct by running the
getcapcommand:sudo getcap /opt/datadog-agent/bin/agent/agent
With the expected output:
/opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep
Note: Re-run this
setcapcommand every time you upgrade the Agent.
Data is not being collected:
Make sure that traffic is bypassed from the configured port if the firewall is enabled.
Port already in use:
If you see the Port <PORT-NO> Already in Use error, see the following instructions. The example below is for PORT-NO = 514:
On systems using Syslog, if the Agent listens for Zeek logs on port 514, the following error can appear in the Agent logs: Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use.
This error occurs because by default, Syslog listens on port 514. To resolve this error, take one of the following steps:
- Disable Syslog
- Configure the Agent to listen on a different, available port
For any further assistance, contact Datadog support.