Zeek Logs
Connecting Zeek logs to your Panther Console
Overview
Panther supports ingesting Zeek logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.
How to onboard Zeek logs to Panther
To pull these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for the log type you want to onboard, then click its tile.
Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
Configure Zeek to push logs to the Data Transport source.
See Zeek's documentation for instructions on pushing logs to your selected Data Transport source.
Supported log types
Zeek.CaptureLoss
Zeek CaptureLoss logs evidence regarding the degree to which the packet capture process suffers from measurement loss.
Reference: Capture Loss
Zeek.Conn
Reference: conn.log
Zeek.DHCP
Reference: dhcp.log
Zeek.DNS
Zeek DNS activity
Reference: Zeek documentation - DNS::info
Zeek.DPD
Zeek Dynamic Protocol Detection.
Reference: dpd.log
Zeek.Files
Reference: files.log
Zeek.HTTP
Reference: http.log
Zeek.Notice
Reference: notice.log
Zeek.NTP
Reference: ntp.log
Zeek.OCSP
Reference: ocsp.log
Zeek.Reporter
Zeek internal warnings and errors.
Reference: reporter.log
Zeek.SIP
This schema represents Zeek SIP analysis logs.
Reference: sip.log
Zeek.Software
Reference: software.log
Zeek.SSH
Reference: ssh.log
Zeek.SSL
Reference: ssl.log
Zeek.Stats
Reference: stats.log
Zeek.Tunnel
The purpose of Zeek’s tunnel.log is to identify encapsulated traffic.
Reference: tunnel.log
Zeek.Weird
Reference: weird.log
Zeek.X509
Reference: x509.log
Last updated
Was this helpful?