Add zeek package #245
Add zeek package #245
Conversation
leehinman
added
enhancement
|
Pinging @elastic/integrations (Team:Integrations) |
|
Pinging @elastic/siem (Team:SIEM) |
💚 Build Succeeded
Expand to view the summary
Build stats
|
|
I'll go through this... slowly... reviews will be in chunks |
packages/zeek/manifest.yml
Outdated
| title: 'Collect Zeek capture_loss, connection, dce_rpc, dhcp, dnp3, dns, dpd, files, ftp, http, intel, irc, kerberos, modbus, mysql, notice, ntlm, ocsp, pe, radius, rdp, rfb, sip, smb_cmd, smb_files, smb_mapping, smtp, snmp, socks, ssh, ssl, stats, syslog, traceroute, tunnel, weird and x509 logs' | ||
| description: 'Collecting capture_loss, connection, dce_rpc, dhcp, dnp3, dns, dpd, files, ftp, http, intel, irc, kerberos, modbus, mysql, notice, ntlm, ocsp, pe, radius, rdp, rfb, sip, smb_cmd, smb_files, smb_mapping, smtp, snmp, socks, ssh, ssl, stats, syslog, traceroute, tunnel, weird and x509 logs from Zeek instances' | ||
| owner: | ||
| github: elastic/siem |
There was a problem hiding this comment.
| github: elastic/siem | |
| github: elastic/security-ingest |
packages/zeek/manifest.yml
Outdated
| description: Collect logs from Zeek instances | ||
| inputs: | ||
| - type: logfile | ||
| title: 'Collect Zeek capture_loss, connection, dce_rpc, dhcp, dnp3, dns, dpd, files, ftp, http, intel, irc, kerberos, modbus, mysql, notice, ntlm, ocsp, pe, radius, rdp, rfb, sip, smb_cmd, smb_files, smb_mapping, smtp, snmp, socks, ssh, ssl, stats, syslog, traceroute, tunnel, weird and x509 logs' |
There was a problem hiding this comment.
This seems like rather long title. Maybe we should drop the names of the individual logs.
| "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", | ||
| "query": { | ||
| "language": "kuery", | ||
| "query": "" |
There was a problem hiding this comment.
Should these visualizations have a query to only select Zeek data? If so we can take advantage of the constant_keyword data_stream fields for this.
| show_user: true | ||
| default: | ||
| - zeek.dhcp | ||
| - name: community_id |
There was a problem hiding this comment.
This might be a lot of work, but I'd like to have this config option removed from everywhere. The processor should always be included. I can't think of any reason to make it configurable.
There was a problem hiding this comment.
Unfortunately CI reported issues for this PR: https://beats-ci.elastic.co/blue/organizations/jenkins/Beats%2Fintegrations/detail/PR-245/13/pipeline
EDIT:
After a short investigation with @ycombinator , it looks that we have a requirement for dataset names to be at least 3 characters: https://github.com/elastic/package-spec/blob/master/versions/1/dataset/spec.yml#L6 . I'm wondering whether it's a good requirement to prevent a non-descriptive, mysterious names like in this case "pe".
It's not a big deal to change it, but maybe it's better to keep it. WDYT @ruflin @ycombinator ?
Just a bit of context. The datasets are named after the ~40 log files that zeek produces. And in this case the log file is called It might be a little weird for all the others to be direct mappings (mysql.log -> mysql) but this one to be pe.log -> portable_executable. I'd vote for an exception in this case, most of the time a 2 letter name would be mysterious but in this context making it not like all the others could be more mysterious. Luckily this is the only 2 letter log name for zeek. https://docs.zeek.org/en/current/script-reference/log-files.html |
|
I'm in favor of keeping it as However, if we decide to change it to be more descriptive, then I'd suggest doing that consistently for other datasets of this integration as well, e.g. So I think the rule-of-thumb should be that we use dataset names that makes sense in the context of an integration. |
|
Ok, I'm going to open PR against package-spec to adjust the schema. |
|
I'm good with changing the constraint. Keep in mind that in most cases this also effects the index name. For short vs long: We probably should have a recommendation but in the end, it is up to the person writing the package to make the call. |
|
@leehinman I updated the dependency on package-spec on master branch. Please rebase this PR against master and |
- capture_loss - connection - dce_rpc - dhcp - dnp3 - dns - dpd - files - ftp - http - intel - irc - kerberos - modbus - mysql - notice - ntlm - ocsp - pe - radius - rdp - rfb - sip - smb_cmd - smb_files - smb_mapping - smtp - snmp - socks - ssh - ssl - stats - syslog - traceroute - tunnel - weird - x509 Closes elastic#225
- quoting of = - indentation in a painless script makes it easier to sync with Filebeat
- removed config option for community_id - changed owner to security-ingest - Shortened Title and reworded description - limit visualizations to zeek data
- kerberos, ssl & x509 ECS 1.6.0 changes - fix community_id processor
- mage check changes
Done. Thanks for all the help. |
* Add zeek package - capture_loss - connection - dce_rpc - dhcp - dnp3 - dns - dpd - files - ftp - http - intel - irc - kerberos - modbus - mysql - notice - ntlm - ocsp - pe - radius - rdp - rfb - sip - smb_cmd - smb_files - smb_mapping - smtp - snmp - socks - ssh - ssl - stats - syslog - traceroute - tunnel - weird - x509 - limit visualizations to zeek data - removed config option for communit_id processor - synced with filebeat zeek module for ECS 1.6.0 changes Closes elastic#225
What does this PR do?
Add package for the filebeat Zeek module. Includes capture_loss,
connection, dce_rpc, dhcp, dnp3, dns, dpd, files, ftp, http, intel
irc, kerberos, modbus, mysql, notice, ntlm, ocsp, pe, radius, rdp
rfb, sip, smb_cmd, smb_files, smb_mapping, smtp, snmp, socks
ssh, ssl, stats, syslog, traceroute, tunnel, weird, x509
Checklist
Related issues
Screenshots