forked from picatz/fluentd-zeek-conf
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathzeek.conf
113 lines (102 loc) · 3.1 KB
/
zeek.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
<source>
type tail
format tsv
keys ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,service,duration,orig_bytes,resp_bytes,conn_state,local_orig,local_resp,missed_bytes,history,orig_pkts,orig_ip_bytesresp_pkts,resp_ip_bytes,tunnel_parents
path /var/log/zeek/conn.log
pos_file /var/lib/google-fluentd/pos/zeek-conn.pos
read_from_head true
tag zeek-conn
</source>
<source>
type tail
format tsv
keys ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,trans_id,rtt,query,qclass,qclass_name,qtype,qtype_name,rcode,rcode_name,AA,TC,RD,RA,Z,answers,TTLs,rejected
path /var/log/zeek/dns.log
pos_file /var/lib/google-fluentd/pos/zeek-dns.pos
read_from_head true
tag zeek-dns
</source>
<source>
type tail
format none
path /var/log/zeek/ftp.log
pos_file /var/lib/google-fluentd/pos/zeek-ftp.pos
read_from_head true
tag zeek-ftp
</source>
<source>
type tail
format tsv
keys ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,trans_depth,method,host,uri,referrer,version,user_agent,request_body_len,response_body_len,status_code,status_msg,info_code,info_msg,tags,username,password,proxied,orig_fuids,orig_filenames,orig_mime_types,resp_fuids,resp_filenames,resp_mime_types
path /var/log/zeek/http.log
pos_file /var/lib/google-fluentd/pos/zeek-http.pos
read_from_head true
tag zeek-http
</source>
<source>
type tail
format tsv
keys ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,version,auth_success,auth_attempts,direction,client,server,cipher_alg,mac_alg,compression_alg,kex_alg,host_key_alg,host_key
path /var/log/zeek/ssh.log
pos_file /var/lib/google-fluentd/pos/zeek-ssh.pos
read_from_head true
tag zeek-ssh
</source>
<source>
type tail
format none
path /var/log/zeek/ssl.log
pos_file /var/lib/google-fluentd/pos/zeek-ssl.pos
read_from_head true
tag zeek-ssl
</source>
<source>
type tail
format none
path /var/log/zeek/rdp.log
pos_file /var/lib/google-fluentd/pos/zeek-rdp.pos
read_from_head true
tag zeek-rdp
</source>
<source>
type tail
format none
path /var/log/zeek/ntlm.log
pos_file /var/lib/google-fluentd/pos/zeek-ntlm.pos
read_from_head true
tag zeek-ntlm
</source>
<source>
type tail
format none
path /var/log/zeek/pe.log
pos_file /var/lib/google-fluentd/pos/zeek-pe.pos
read_from_head true
tag zeek-pe
</source>
<source>
type tail
format tsv
keys ts,fuid,tx_hosts,rx_hosts,conn_uids,source,depth,analyzers,mime_type,filename,duration,local_orig,is_orig,seen_bytes,total_bytes,missing_bytes,overflow_bytes,timedout,parent_fuid,md5,sha1,sha256,extracted,extracted_cutoff,extracted_size
path /var/log/zeek/files.log
pos_file /var/lib/google-fluentd/pos/zeek-files.pos
read_from_head true
tag zeek-files
</source>
<source>
type tail
format tsv
keys ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,name,addl,notice,peer
path /var/log/zeek/weird.log
pos_file /var/lib/google-fluentd/pos/zeek-weird.pos
read_from_head true
tag zeek-weird
</source>
<source>
type tail
format none
path /var/log/zeek/capture_loss.log
pos_file /var/lib/google-fluentd/pos/zeek-loss.pos
read_from_head true
tag zeek-loss
</source>