This repository contains a few utility scripts for the Zeek Network Security Monitor.
This script outputs information about running Zeek processes in influxdb line format. If the Zeek processes have been started using Zeekctl, it will also add information like the listening interface and the type of node.
Example output:
zeek,host=allison,interface='unknown',nodetype='logger-1' pmem=0.0,pcpu=87.4,vsize=3271596,rss=197424,cputimes=153,etimes=175
zeek,host=allison,interface='unknown',nodetype='manager' pmem=0.0,pcpu=0.5,vsize=686600,rss=89964,cputimes=0,etimes=174
zeek,host=allison,interface='unknown',nodetype='proxy-1' pmem=0.0,pcpu=0.4,vsize=684792,rss=85476,cputimes=0,etimes=173
zeek,host=allison,interface='af_packet::em2',nodetype='worker-1-1' pmem=0.0,pcpu=17.3,vsize=875652,rss=278452,cputimes=29,etimes=171
zeek,host=allison,interface='af_packet::em2',nodetype='worker-1-3' pmem=0.0,pcpu=23.2,vsize=875360,rss=278308,cputimes=39,etimes=171
zeek,host=allison,interface='af_packet::em2',nodetype='worker-1-11' pmem=0.0,pcpu=16.8,vsize=871848,rss=276724,cputimes=28,etimes=171You can use software like Telegraf to submit the output to influxdb. The following configuration file snippet will run collection every 60 seconds:
[[inputs.exec]]
commands = ["/home/johanna/do.pl"]
timeout = "60s"
data_format = "influx"Read Zeek log files into a postgresql database. Tables are automatically generated according to the type and path values in the Zeek logs.
Usage:
readToPsql.pl --db=[dbname] [--port=port] [logfiles]Read Zeek log files into a greenplum database. Tables are automatically generated according to the type and path values in the Zeek logs.
Usage:
readToGpDB.pl --db=[dbname] [--port=port] [logfiles]Convert the SSL blacklist provided by abuse.ch to a format that is ingestible by the Zeek Intelligence Framework.
Usage:
convert-blacklist.pl infile > outfile