Workforce Development Training Lab S02
Beginner Splunk Zeek

Lab S02 — Splunk and Zeek

Install Zeek on Ubuntu 22.04, configure JSON logging, and forward Zeek network logs to Splunk Enterprise.

~45 min Ubuntu 22.04 5 Sections
Download Lab Document
Progress
0 / 5

Prerequisites

1

Complete Lab S00 before starting this lab. You will need a working Splunk Enterprise instance on Ubuntu 22.04.

Prerequisite: Lab S00 — Splunk, Universal Forwarder & Stream Setup
2

This lab was tested using an Ubuntu 22.04 Virtual Machine in Synology VMM. It should work on most local network environments using the same operating system, virtual or bare metal.

Introduction — What is Zeek?

What is Zeek?

Zeek (formerly Bro) is a free, open-source network security monitoring and analysis tool. Originally developed by Vern Paxson at Lawrence Berkeley National Lab in 1995, it was renamed from Bro to Zeek in 2018. Zeek is considered less beginner-friendly than tools like Suricata because it requires scripting knowledge for advanced use cases.

Network Traffic Analysis

Zeek analyzes traffic to detect anomalies and suspicious signatures — DNS, HTTP, FTP activity and more.

Incident Response

Zeek can auto-download suspicious files and blacklist IPs as part of an automated incident response workflow.

Flexible Framework

Zeek supports custom scripting for in-depth monitoring, allowing security teams to tailor detection logic to their environment.

Platform

Deploy on-premises, in the cloud, or out-of-band. Zeek outputs metadata and extracted files in multiple formats.

Zeek App in Splunk

1

In your Splunk Web UI, open the Apps dropdown and select Find More Apps. Search for and install both TA_for_zeek and Zeek App for Hunting.

Install Zeek apps in Splunk
2

Create a new index called zeek. Assign it to the Zeek App for Threat Hunting and leave all other settings at their defaults.

Create zeek index in Splunk

Install and Configure Zeek on Ubuntu 22.04

Note: $ZEEK_HOME refers to /opt/zeek throughout this section.
1

Install Zeek from the OpenSUSE repository by running the following commands on your Ubuntu 22.04 VM:

echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
sudo apt update && sudo apt install zeek

When prompted for a Mail server configuration, select No Configuration.

2

Add Zeek to your PATH so you can run Zeek commands without specifying the full path each time:

echo "PATH=$PATH:/opt/zeek/bin" >> ~/.bashrc source ~/.bashrc
3

Find your network interface with ip address, then edit the Zeek node configuration file to set your interface:

sudo nano /opt/zeek/etc/node.cfg

Set the configuration as follows (replace eno2 with your actual interface name):

[zeek] type=standalone host=localhost interface=eno2
Zeek node.cfg configuration
4

Enable JSON logging by adding the following lines to the bottom of /opt/zeek/share/zeek/site/local.zeek:

sudo nano /opt/zeek/share/zeek/site/local.zeek

Add to the bottom of the file:

# Output to JSON @load policy/tuning/json-logs.zeek
5

Install and start Zeek using zeekctl:

sudo /opt/zeek/bin/zeekctl install sudo /opt/zeek/bin/zeekctl start

Confirm that logs are being generated by checking the $ZEEK_HOME/spool/zeek folder.

Zeek logs generating in spool folder

Automate Zeek and Configure Splunk Inputs

1

Create a systemd service so Zeek starts automatically on boot. First stop the current Zeek process:

sudo /opt/zeek/bin/zeekctl stop

Create the systemd service file:

sudo nano /etc/systemd/system/zeek.service

Add the following contents:

[Unit] Description=Zeek Collection Server After=network.target [Service] ExecStartPre=/opt/zeek/bin/zeekctl check ExecStart=/opt/zeek/bin/zeekctl start ExecReload=/opt/zeek/bin/zeekctl reload ExecStop=/opt/zeek/bin/zeekctl stop Restart=on-failure RestartPreventExitStatus=255 Type=forking [Install] WantedBy=multi-user.target Alias=zeek.service

Then start the service:

sudo systemctl start zeek
2

Set up a cron job to run zeekctl cron every 5 minutes. This is required for Zeek's log rotation to function correctly:

sudo crontab -e

Add the following line:

*/5 * * * * /opt/zeek/bin/zeekctl cron
On Cron

The cron command-line utility is a job scheduler on Unix-like operating systems. The cron daemon checks scheduled tasks every minute.

3

Configure Splunk to monitor Zeek logs. Add the following to /opt/splunk/etc/system/local/inputs.conf (create the file if it does not exist):

sudo nano /opt/splunk/etc/system/local/inputs.conf

Add the following content:

[default] host = zeek-01 [monitor:///opt/zeek/logs/current/conn.log] _TCP_ROUTING = * index = zeek source = bro.conn.log sourcetype = bro:json [monitor:///opt/zeek/logs/current/dns.log] _TCP_ROUTING = * index = zeek source = bro.dns.log sourcetype = bro:json [monitor:///opt/zeek/logs/current/ssl.log] _TCP_ROUTING = * index = zeek source = bro.ssl.log sourcetype = bro:json [monitor:///opt/zeek/logs/current/smtp.log] _TCP_ROUTING = * index = zeek source = bro.smtp.log sourcetype = bro:json [monitor:///opt/zeek/logs/current/software.log] _TCP_ROUTING = * index = zeek source = bro.software.log sourcetype = bro:json [monitor:///opt/zeek/logs/current/ssh.log] _TCP_ROUTING = * index = zeek source = bro.ssh.log sourcetype = bro:json [monitor:///opt/zeek/logs/current/x509.log] _TCP_ROUTING = * index = zeek source = bro.x509.log sourcetype = bro:json [monitor:///opt/zeek/logs/current/ftp.log] _TCP_ROUTING = * index = zeek source = bro.ftp.log sourcetype = bro:json [monitor:///opt/zeek/logs/current/http.log] _TCP_ROUTING = * index = zeek source = bro.http.log sourcetype = bro:json [monitor:///opt/zeek/logs/current/rdp.log] _TCP_ROUTING = * index = zeek source = bro.rdp.log sourcetype = bro:json [monitor:///opt/zeek/logs/current/smb_files.log] _TCP_ROUTING = * index = zeek source = bro.smb_files.log sourcetype = bro:json [monitor:///opt/zeek/logs/current/smb_mapping.log] _TCP_ROUTING = * index = zeek source = bro.smb_mapping.log sourcetype = bro:json [monitor:///opt/zeek/logs/current/snmp.log] _TCP_ROUTING = * index = zeek source = bro.snmp.log sourcetype = bro:json [monitor:///opt/zeek/logs/current/sip.log] _TCP_ROUTING = * index = zeek source = bro.sip.log sourcetype = bro:json [monitor:///opt/zeek/logs/current/files.log] _TCP_ROUTING = * index = zeek source = bro.files.log sourcetype = bro:json
Splunk inputs.conf for Zeek
4

Restart Splunk, then verify data is arriving in the zeek index by running the following search in Apps → Search & Reporting:

index="zeek"
Zeek logs in Splunk zeek index
Lab S01 Take the Quiz