---
id: ingest-zeek-logs
title: Ingest Zeek Logs
description: Learn how to collect Zeek (Bro) logs and ingest them to Cloud SIEM.
slug: /help/docs/cse/sensors/ingest-zeek-logs/
canonical: https://www.sumologic.com/help/docs/cse/sensors/ingest-zeek-logs/
---

import useBaseUrl from '@docusaurus/useBaseUrl';

This topic has instructions for ingesting Zeek logs into Cloud SIEM. 

## What is Zeek?

Cloud SIEM uses [Zeek](https://zeek.org/) (formerly known as Bro) for network visibility. Zeek is an open source network analysis framework that organizes packets into flows, decodes common protocols, performs file extraction, SSL certificate validation, OS fingerprinting and more. Zeek can be extended through plugins for additional detection capabilities.

## Supported collection method: Sumo Logic source

If you already have a Zeek deployment, you can collect logs using a Sumo Logic collector and source.

:::note
This method requires that your Zeek logs are in JSON format. 
:::

### Configure a Sumo Logic source

In this step, you configure a Sumo Logic source on an Sumo Logic installed collector. Choose the appropriate source type based on:
* If you already have a method of forwarding Zeek logs in JSON format in Syslog format to a collector in your environment, you can use a Syslog source to ingest the logs.
* If you’re not set up to use Syslog, and have Zeek log files stored on a filesystem, you can use a local file source to ingest the logs.

After configuring the appropriate source, use one of the methods described in [Enable parsing and mapping of Zeek logs](#enable-parsing-and-mapping-of-zeek-logs) to provide information Cloud SIEM requires to parse and map Zeek logs.

### Enable parsing and mapping of Zeek logs

This configuration step is required to ensure that Cloud SIEM knows how to parse incoming Zeek logs, correctly map the log fields to schema attributes, and create Cloud SIEM records. The most important bit of information is what type of data a particular log contains. Zeek has a variety of log types, for example `conn` for TCP/UDP/ICMP connections, `http` for HTTP requests and replies, and `ftp` for FTP activity.

So, how to determine whether a Zeek log is a `conn`, `http`, `ftp`, or some other log type? Zeek logs don’t contain a key that explicitly holds a value that is only the log type identifier. There are two options for dealing with this:

* Use Corelight to add a field to each Zeek log that identifies its log type. See [Use Corelight](#use-corelight) below.
* Use Sumo Logic Field Extraction Rules (FERs) to create fields that provide the log type and other data that enables Cloud SIEM to parse and map the logs. See [Use FERs](#use-fers).

### Use Corelight

With this method, you use Corelight’s [json-streaming-logs](https://github.com/corelight/json-streaming-logs), a Bro script package that creates JSON formatted logs, and adds an extension field, named `_path` that identifies the Zeek log type to each Zeek log. Then, you map that field to **Event ID** in a Sumo Logic ingest mapping.

After installing the `json-streaming-logs` package, follow these instructions to set up the Sumo Logic mapping.

1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Cloud SIEM**, and then under **Cloud SIEM Integrations** select **Ingest Mappings**. You can also click the **Go To...** menu at the top of the screen and select **Ingest Mappings**.  <br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top Cloud SIEM menu select **Configuration**, and then under **Integrations** select **Sumo Logic**. 
1. On the **Ingest Mappings** tab, click **+ Add Ingest Mapping**.<br/><img src={useBaseUrl('img/cse/ingest-mappings.png')} alt="Ingest mappings" style={{border: '1px solid gray'}} width="800"/>
1. On the **Add Ingest Mapping** tab:
   1. **Source Category**. Enter the source category value you assigned to the source you configured above in [Configure a Sumo Logic source](#configure-a-sumo-logic-source).
   1. **Format**. Choose **Bro/Zeek JSON**.
   1. **Event ID**. Enter `{_path}`.
   1. **Enabled**. Use the slider to enable the mapping if you’re ready to receive Zeek logs.
   1. Click **Create**.<br/><img src={useBaseUrl('img/cse/create-mapping.png')} alt="Create mapping" style={{border: '1px solid gray'}} width="400"/>

### Use FERs

With this method, you use Sumo Logic Field Extraction Rules (FERs) to extract fields from each Zeek log. The fields you extract will provide the information necessary for Cloud SIEM to correctly parse and map the logs. 

Here’s an example Bro log from the Security Onion platform. 

```
{"TAGS":".source.s_bro_conn","SOURCEIP":"127.0.0.1","PROGRAM":"bro_conn","PRIORITY":"notice","MESSAGE":"{\"ts\":\"2020-05-28T10:32:51.997054Z\",\"uid\":\"Cu3KVA2TbWqZm1Z0S6\",\"id.orig_h\":\"1.2.3.4\",\"id.orig_p\":16030,\"id.resp_h\":\"5.6.7.8\",\"id.resp_p\":161,\"proto\":\"udp\",\"duration\":30.000317811965942,\"orig_bytes\":258,\"resp_bytes\":0,\"conn_state\":\"S0\",\"local_orig\":true,\"local_resp\":true,\"missed_bytes\":0,\"history\":\"D\",\"orig_pkts\":6,\"orig_ip_bytes\":426,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"sensorname\":\"test\"}","ISODATE":"2020-05-28T10:34:24+00:00","HOST_FROM":"somehost","HOST":"somehost","FILE_NAME":"/nsm/bro/logs/current/conn.log","FACILITY":"user"}
```

In the log above, the content of the Bro log is the value of the `MESSAGE` key. Note that no key in the log explicitly states the log type, which is `conn`. 

To enable Cloud SIEM to successfully process the log, we need to create the following fields listed in the table below.

<table>
  <tr>
   <td><strong>Field</strong></td>
   <td><strong>Parse Expression</strong> </td>
  </tr>
  <tr>
   <td><code>_siemMessage</code> </td>
   <td><code>json field=_raw "MESSAGE" as _siemMessage</code> </td>
  </tr>
  <tr>
   <td><code>_siemEventId</code></td>
   <td><code>json field=_raw "PROGRAM" as _siemEventId | parse regex field=_siemEventId "bro_(?&lt;_siemEventId>.*)"</code> </td>
  </tr>
  <tr>
   <td><code>_siemFormat</code></td>
   <td><code>"bro" as _siemFormat</code></td>
  </tr>
  <tr>
   <td><code>_siemVendor</code></td>
   <td><code>"bro" as _siemVendor</code></td>
  </tr>
  <tr>
   <td><code>_siemProduct</code></td>
   <td><code>"bro" as _siemProduct</code></td>
  </tr>
</table>

Perform these steps for each of the FERs.

1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Data Management**, and then under **Logs** select **Field Extraction Rules**. You can also click the **Go To...** menu at the top of the screen and select **Field Extraction Rules**.  <br/>[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Logs > Field Extraction Rules**. 
1. Click **Add Rule**.
1. In the **Add Field Extraction Rule** pane:
   1. **Rule Name**. Enter a meaningful name for the rule.
   1. **Applied At**. Click Ingest Time. 
   1. **Scope**. Click **Specific Data**.
   1. **Parse Expression**. Enter the parse expression shown in the table above for the field the rule will extract.
1. Click **Save**.<br/><img src={useBaseUrl('img/cse/example-fer.png')} alt="Example FER" style={{border: '1px solid gray'}} width="400"/>


## Unsupported collection method: Network Sensor

:::warning End-of-Life
This section describes using the Cloud SIEM Network Sensor. [Network Sensor has reached its end of life](/docs/cse/sensors/network-sensor-end-of-life/). Instead, use Zeek. For more information, see [Supported collection method: Sumo Logic source](#supported-collection-method-sumo-logic-source) above. 
:::

You can use Cloud SIEM’s Network Sensor to collect Zeek logs and upload them to an HTTP source on a Sumo Logic hosted collector. This method ensures that supported Bro policies are enabled and that the supported Bro output format is configured. It also results in the creation of Cloud SIEM records from the raw Zeek log messages. For instructions, see [Network Sensor Deployment Guide](/docs/cse/sensors/network-sensor-deployment-guide). 

The Network Sensor extracts files observed over cleartext protocols that match selected MIME types. You can configure what types will be extracted using the [extracted_file_types](/docs/cse/sensors/network-sensor-deployment-guide) property in the Network Sensor’s configuration file, `trident-sensor.cfg`. By default the sensor will upload password-protected zip files and the following types of executables:

* `application/x-dosexec`
* `application/x-msdownload`
* `application/x-msdos-program`

### Filtering Zeek logs

This section describes two methods you can use to filter the logs that the Network Sensor sends to Cloud SIEM.

* You can configure a Berkeley Packet Filter (BPF) filter using the [filter](/docs/cse/sensors/network-sensor-deployment-guide) parameter in Network Sensor’s configuration file, `trident-sensor.cfg`. This is the most efficient filtering mechanism as it is performed before Network Sensor processing.

    The value of the `filter` parameter is an expression that begins with `not`. This example expression ensures the that the Network Sensor will not process any traffic involving host `a.b.c.com` or host `d.e.f.com`:

    `not ( host a.b.c.com ) and not ( host d.e.f.com )`

    For information about BPF filter syntax, see https://biot.com/capstats/bpf.html.  

* You can also filter by Zeek log type using the [skipped_log_types](/docs/cse/sensors/network-sensor-deployment-guide) property in `trident-sensor.cfg`. The default value of `skipped_log_types` is:

   ```
   dpd,weird,syslog,pe,tunnel,communication,conn-summary,known_hosts,software,stdout.stderr,loaded_scripts,ntp
   ```

    You can add additional Zeek log types to the list to exclude them.

The BPF filter is applied before `skipped_log_types`. So, given the example BPF filter above, if you add `dns` to the `skipped_log_types` value, you will not ingest logs related to traffic involving hosts `a.b.c.com` or `d.e.f.com`, and you will not ingest DNS data.