Zeek (Bro) Network Monitor Integration
Overview
Zeek (formerly Bro) is a powerful network analysis framework that generates detailed logs of network activity. KYRA MDR collects Zeek logs for comprehensive network visibility and threat hunting. Supports Zeek 5.x and 6.x.
Prerequisites
- A KYRA MDR Collector installed and running
- Zeek installed and configured on a network tap or span port
- Network connectivity from the Zeek sensor to the collector
- Sufficient storage for Zeek log output
Configuration
Configure Zeek to forward logs to KYRA MDR:
- Configure JSON logging in
local.zeek:
@load policy/tuning/json-logs.zeekredef LogAscii::use_json = T;- Use Filebeat to forward Zeek logs:
filebeat.inputs: - type: log paths: - /opt/zeek/logs/current/*.log json.keys_under_root: trueoutput.logstash: hosts: ["<collector-ip>:5044"]- Restart Zeek and the log shipper:
zeekctl deploysudo systemctl restart filebeatCollected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| conn.log | TCP/UDP/ICMP connection records | Network baseline, anomaly detection |
| dns.log | DNS queries and responses | DNS tunneling, C2 detection |
| http.log | HTTP requests and responses | Web attack detection |
| ssl.log | TLS/SSL handshake data | Certificate monitoring |
| files.log | File transfer metadata | Malware transfer detection |
| notice.log | Zeek-generated notices and alerts | Anomaly detection |
Troubleshooting
No Zeek logs: Verify Zeek is capturing traffic with zeekctl status.
JSON format not working: Ensure @load policy/tuning/json-logs.zeek is included in local.zeek.
Missing protocol logs: Zeek only generates logs for observed traffic. Verify the network tap is configured correctly.
Contact kyra@seekerslab.com for support.