Proper method to enable ARP to be collected in local.zeek ? #14021
-
|
I'm using SO 2.4.110. I'd like to collect MAC info along with IP and Ports from Zeek. Skynet is suggesting that I simply add |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
There is no script for arp in |
Beta Was this translation helpful? Give feedback.
-
|
I'd like to request the addition of Mac Address as something that Security Onion collects by default, through whichever ingesting method it's possible to do so. |
Beta Was this translation helpful? Give feedback.
-
|
By default, our Zeek configuration should be writing ARP and MAC data to To ingest the data into Elasticsearch, go to your Zeek excluded configuration as shown at https://docs.securityonion.net/en/2.4/zeek.html#configuration, remove Once this data is flowing into Elasticsearch, you should be able to go to Dashboards and paste the following for a simple MAC address dashboard: If you want to see the MAC/IP relationships as well: |
Beta Was this translation helpful? Give feedback.
-
|
Brilliant! Thanks Doug!! |
Beta Was this translation helpful? Give feedback.
By default, our Zeek configuration should be writing ARP and MAC data to
/nsm/zeek/logs/current/ecat_arp_info.log. However, this log is not ingested into Elasticsearch by default.To ingest the data into Elasticsearch, go to your Zeek excluded configuration as shown at https://docs.securityonion.net/en/2.4/zeek.html#configuration, remove
ecat_arp_infofrom the list, and save the configuration. Wait 15 minutes for the configuration to take effect or force it immediately.Once this data is flowing into Elasticsearch, you should be able to go to Dashboards and paste the following for a simple MAC address dashboard: