Good evening everyone!
I am trying to use the Zeek module with Filebeat ... no matter what I do Filebeat is insisting on looking in /var/log/zeek/current for it's file source ... I compiled Zeek from source and it's running smoothly but it's default directory for dumping it's logs to /usr/local/zeek/logs/current/
I am writing the Zeek logs to JSON format and I know it's not a translation issue because if I make a copy of the JSON logs and copy them to /var/log/zeek/current they get consumed and fired up to the Elasticsearch DB no problem...
However, if I try and modify the var.paths like the attached:
... I get the following error:
So it appears something somewhere in the Filebeat config is insisting on only dealing with the var/log/zeek/current directory and there's no telling it otherwise ...
QUESTION: Is there somewhere else besides the var.paths variable for each of the Zeek logs that I should be putting the alternate path for the Zeek logs??
Thanks in advance for the feedback! Cheers!