Shipping Zeek logs on OpenBSD
OpenBSD does not provide many good options for shipping logs to a remote destination. Well known solutions like Fluentd, fluent-bit, Cribl, etc are just not (yet) available :( In this blog post I describe how I’m shipping Zeeks logs from my firewall using Rsyslog into my logging infrastructure which currently consists of Cribl and Splunk running on Linux VM’s. Enable JSON logging in Zeek The default TSV logging format of Zeek is fine when working with the logs locally with tools like cat, grep and zeek-cut. But when forwarding logs to a SIEM I prefer to use the JSON format. To make Zeek create logs in JSON you have to load the json-logs module in the site local configuration. ...