Conversion of the Zeek IDS event log format

By default, Zeek IDS events are logged in files in the /opt/zeek/logs/current directory.

The "[OOTB] ZEEK IDS json file" normalizer supports Zeek IDS logs in the JSON format. To send events to the KUMA normalizer, log files must be converted to the JSON format.

This procedure must be repeated every time before receiving Zeek IDS events.

To convert the Zeek IDS event log format:

1. Connect to the server where Zeek IDS is installed using an account with administrative privileges.
2. Create the directory where JSON event logs must be stored:

   sudo mkdir /opt/zeek/logs/zeek-json

3. Change to this directory:

   sudo cd /opt/zeek/logs/zeek-json

4. Run the command that uses the jq utility to convert the original event log format to the target format:

   jq . -c <path to the log file to be converted to a different format> >> <new file name>.log

   Example: jq . -c /opt/zeek/logs/current/conn.log >> conn.log

As a result of running the command, a new file is created in the /opt/zeek/logs/zeek-json directory if this file did not exist before. If the file was already present in the current directory, new information is appended to the end of the file.

Page top