Configure Zeek module with the sample dashboard

Elastic Stack Beats
1

Hi all,

I am struggling to set up visualisation for Zeek (Bro) logs with Kibana. The Zeek module included with filebeat apparently comes with a sample dashboard seen here. I am struggling to see the sample dashboard and setting up a visualisation for the conn.log from Zeek. I can see there is an index created using the configurations of filebeat:

filebeat.config.modules:
  enabled: true
  path: "/usr/share/filebeat/modules.d/*.yml"
filebeat.modules:
  - module: zeek
    connection:
      enabled: true
      var.paths:
        - "/usr/local/bro/logs/current/conn.log"

output.elasticsearch:
  hosts: ["x.x.xxx.xxx:9200"]

setup.kibana:
   host: "x.x.xxx.xxx:5601"

I feel the documentation for the Zeek module is not enough. Could someone advise me further how to set this up?

Kind regards,
Merril.

2

Can you tell if your difficulty is with filebeat or kibana? You say you can see an index created, does that mean that the zeek logs are being indexed in elasticsearch, but you don't see the dashboard? Or are you unsure if the logs are being indexed at all?

3

Hi Fae,

I can see index on ES and indeed in Kibana and I could create an index pattern and discover the documents. But no default dashboard on Kibana. I assume its a filebeat configuration?. I am using docker so it would be easier for me to configure through filebeat.yml if there is a setting I can apply.

Kind regards,
Merril.