Sending Zeek events with filebeat to SecurityOnion 2.4 #13649

clopmz · 2024-09-11T05:27:00Z

clopmz
Sep 11, 2024

Hi all,

Is it possible to send Zeek events via Filebeat from a host that is not part of the SecurityOnion grid? My Zeek hosts are FreeBSD based and Elastic Agent is not supported under FreeBSD only beats (filebeat, metricbeat, etc).

Another option I can configure is to use Kafka, but can SecurityOnion act as a consumer for kafka to request Zeek events?

Many thanks.

reyesj2 · 2024-09-12T15:07:45Z

reyesj2
Sep 12, 2024
Maintainer

May take some work but logstash has a Kafka input policy you can leverage to consume from Kafka topics https://www.elastic.co/guide/en/logstash/current/plugins-inputs-kafka.html
OR
again may take some work on ingest pipeline for how documents get parsed but logstash has beats input https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html

I should also mention Security Onion Pro includes Kafka as a feature and may be an option. https://docs.securityonion.net/en/2.4/pro.html

1 reply

clopmz Sep 12, 2024
Author

And, is it not possible to send zeek events via filebeat to SecurityOnion's logstash?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Sending Zeek events with filebeat to SecurityOnion 2.4 #13649

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Sending Zeek events with filebeat to SecurityOnion 2.4 #13649

Uh oh!

clopmz Sep 11, 2024

Replies: 1 comment · 1 reply

Uh oh!

Uh oh!

reyesj2 Sep 12, 2024 Maintainer

Uh oh!

clopmz Sep 12, 2024 Author

clopmz
Sep 11, 2024

Replies: 1 comment 1 reply

reyesj2
Sep 12, 2024
Maintainer

clopmz Sep 12, 2024
Author