Configure Zeek module with the sample dashboard

Merril · July 4, 2019, 4:34pm

Hi all,

I am struggling to set up visualisation for Zeek (Bro) logs with Kibana. The Zeek module included with filebeat apparently comes with a sample dashboard seen here. I am struggling to see the sample dashboard and setting up a visualisation for the conn.log from Zeek. I can see there is an index created using the configurations of filebeat:

filebeat.config.modules:
  enabled: true
  path: "/usr/share/filebeat/modules.d/*.yml"
filebeat.modules:
  - module: zeek
    connection:
      enabled: true
      var.paths:
        - "/usr/local/bro/logs/current/conn.log"

output.elasticsearch:
  hosts: ["x.x.xxx.xxx:9200"]

setup.kibana:
   host: "x.x.xxx.xxx:5601"

I feel the documentation for the Zeek module is not enough. Could someone advise me further how to set this up?

Kind regards,
Merril.

faec · July 5, 2019, 10:25pm

Can you tell if your difficulty is with filebeat or kibana? You say you can see an index created, does that mean that the zeek logs are being indexed in elasticsearch, but you don't see the dashboard? Or are you unsure if the logs are being indexed at all?

Merril · July 8, 2019, 8:07am

Hi Fae,

I can see index on ES and indeed in Kibana and I could create an index pattern and discover the documents. But no default dashboard on Kibana. I assume its a filebeat configuration?. I am using docker so it would be easier for me to configure through filebeat.yml if there is a setting I can apply.

Kind regards,
Merril.

system · August 5, 2019, 8:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.