A Python application to transfer Zeek ASCII (not JSON) logs to Elastic/OpenSearch.

Last update: Dec 22, 2022

Related tags

Overview

zeek2es.py

This Python application translates Zeek's ASCII TSV logs into ElasticSearch's bulk load JSON format. For JSON logs, see Elastic's File Beats application.

This application will recognize gzip or uncompressed logs.

This application assumes you have Elasticsearch set up on your localhost at the default port.

Run this program on a system with the same timezone that was logged by Zeek originally, as zeek-cut -d -u translates the timestamps into UTC for Elasticsearch.

Command Line:

python zeek2es.py your_zeek_log.gz -i your_es_index_name

This script can be run in parallel on all connection logs, 10 at a time, with the following command:

find /some/dir -name “conn*.log.gz” | parallel -j 10 python zeek2es.py {1} :::: -

Command Line Options:

$ python zeek2es.py -h
usage: zeek2es.py [-h] [-i ESINDEX] [-u ESURL] [-l LINES] [-n NAME] [-c] [-s] [-b] filename

Process Zeek ASCII logs into Elasticsearch.

positional arguments:
  filename              The Zeek log in *.log or *.gz format. Include the full path.

optional arguments:
  -h, --help            show this help message and exit
  -i ESINDEX, --esindex ESINDEX
                        The Elasticsearch index name.
  -u ESURL, --esurl ESURL
                        The Elasticsearch URL. (default: http://localhost:9200/)
  -l LINES, --lines LINES
                        Lines to buffer for RESTful operations. (default: 50,000)
  -n NAME, --name NAME  The name of the system to add to the index for uniqueness. (default: empty string)
  -c, --checkindex      Check for the ES index first, and if it exists exit this program.
  -s, --stdout          Print JSON to stdout instead of sending to Elasticsearch directly.
  -b, --nobulk          Remove the ES bulk JSON header. Requires --stdout.

Requirements:

A Unix-like environment (MacOs works!)
Python
zeek-cut in your path

Python script for converting .json to .md files using Mako templates.

Install Just install poetry and update script dependencies Usage Put your settings in settings.py and .json data (optionally, with attachments) in dat

6 Dec 7, 2021

json|dict to python object

Pyonize convert json|dict to python object Setup pip install pyonize Examples from pyonize import pyonize

45 Nov 25, 2022

Editor for json/standard python data

1 Dec 7, 2021

Convert your JSON data to a valid Python object to allow accessing keys with the member access operator(.)

JSONObjectMapper Allows you to transform JSON data into an object whose members can be queried using the member access operator. Unlike json.dumps in

4 Jul 20, 2022

Python script to extract news from RSS feeds and save it as json.

14 Dec 22, 2022

Define your JSON schema as Python dataclasses

62 Sep 20, 2022

A Python tool that parses JSON documents using JsonPath

8 Dec 18, 2022

Simple Python Library to convert JSON to XML

json2xml Simple Python Library to convert JSON to XML

79 Nov 11, 2022

Marshall python objects to and from JSON

Pymarshaler - Marshal and Unmarshal Python Objects Disclaimer This tool is in no way production ready About Pymarshaler allows you to marshal and unma

9 Dec 20, 2022

Comments

Datastreams for zeek should be inside the logs-* naming

Hi

I just discovered this great repository. I personally think that when using datastreams the naming convention should be logs-zeek-default. This would follow our datastream recommendations for type-dataset-namespace.

By placing the index with starting logs it will show up automatically within the logs stream and the security pages and all other sorts of places within Kibana.
documentation enhancement helper scripts

opened by philippkahr 7

Releases(v0.3.15)

v0.3.15(Aug 18, 2022)

Various Humio import improvements.
Source code(tar.gz)
Source code(zip)
v0.3.12(May 27, 2022)

Will continue to try to send data to Humio if there is an error.
Source code(tar.gz)
Source code(zip)
v0.3.11(May 25, 2022)

Added Humio support with --humio command line option.
Source code(tar.gz)
Source code(zip)
v0.3.10(May 19, 2022)

Improved Docker components.
Source code(tar.gz)
Source code(zip)
v0.3.9(May 17, 2022)

Fixed an output variable check.
Source code(tar.gz)
Source code(zip)
v0.3.8(May 13, 2022)

Fix some minor issues with JSON stdout output.
Source code(tar.gz)
Source code(zip)
v0.3.7(May 12, 2022)

Added Docker.
Source code(tar.gz)
Source code(zip)
v0.3.6(May 9, 2022)

Fixed a bug with a trailing slash in the -u command line option.
Source code(tar.gz)
Source code(zip)

Owner

Corelight, Inc.

Corelight is the most powerful network visibility solution for information security professionals, founded by the creators of open-source Zeek.

GitHub Repository

RedisJSON - a JSON data type for Redis

RedisJSON is a Redis module that implements ECMA-404 The JSON Data Interchange Standard as a native data type. It allows storing, updating and fetching JSON values from Redis keys (documents).

3.4k Dec 29, 2022

JsonParser - Parsing the Json file by provide the node name

Json Parser This project is based on Parsing the json and dumping it to CSV via

3 Aug 08, 2022

No more boilerplate to check and build a Python object from JSON.

JSONloader This module is for you if you're tired of writing boilerplate that: builds a straightforward Python object from loaded JSON. checks that yo

3 Feb 05, 2022

Python script for converting .json to .md files using Mako templates.

Install Just install poetry and update script dependencies Usage Put your settings in settings.py and .json data (optionally, with attachments) in dat

6 Dec 07, 2021

The ldap2json script allows you to extract the whole LDAP content of a Windows domain into a JSON file.

ldap2json The ldap2json script allows you to extract the whole LDAP content of a Windows domain into a JSON file. Features Authenticate with password

68 Dec 07, 2022

Convert your JSON data to a valid Python object to allow accessing keys with the member access operator(.)

JSONObjectMapper Allows you to transform JSON data into an object whose members can be queried using the member access operator. Unlike json.dumps in

4 Jul 20, 2022

Same as json.dumps or json.loads, feapson support feapson.dumps and feapson.loads

5 Dec 01, 2021

Marshall python objects to and from JSON

Pymarshaler - Marshal and Unmarshal Python Objects Disclaimer This tool is in no way production ready About Pymarshaler allows you to marshal and unma

9 Dec 20, 2022

Package to Encode/Decode some common file formats to json

ZnJSON Package to Encode/Decode some common file formats to json Available via pip install znjson In comparison to pickle this allows having readable

2 Feb 02, 2022

Ibmi-json-beautify - Beautify json string with python

3 Feb 02, 2022

Python script to extract news from RSS feeds and save it as json.

14 Dec 22, 2022

Define your JSON schema as Python dataclasses

62 Sep 20, 2022

Simple Python Library to convert JSON to XML

json2xml Simple Python Library to convert JSON to XML

79 Nov 11, 2022

A fast streaming JSON parser for Python that generates SAX-like events using yajl

json-streamer jsonstreamer provides a SAX-like push parser via the JSONStreamer class and a 'object' parser via the ObjectStreamer class which emits t

196 Dec 15, 2022

json|dict to python object

Pyonize convert json|dict to python object Setup pip install pyonize Examples from pyonize import pyonize

45 Nov 25, 2022

A python library to convert arbitrary strings representing business opening hours into a JSON format that's easier to use in code

9 Dec 02, 2022

A Python application to transfer Zeek ASCII (not JSON) logs to Elastic/OpenSearch.

Related tags

Overview

zeek2es.py

Command Line:

Command Line Options:

Requirements:

You might also like...

Python script for converting .json to .md files using Mako templates.

json|dict to python object

Editor for json/standard python data

Convert your JSON data to a valid Python object to allow accessing keys with the member access operator(.)

Python script to extract news from RSS feeds and save it as json.

Define your JSON schema as Python dataclasses

A Python tool that parses JSON documents using JsonPath

Simple Python Library to convert JSON to XML

Marshall python objects to and from JSON

Comments

Datastreams for zeek should be inside the logs-* naming

Releases(v0.3.15)

v0.3.15(Aug 18, 2022)

v0.3.12(May 27, 2022)

v0.3.11(May 25, 2022)

v0.3.10(May 19, 2022)

v0.3.9(May 17, 2022)

v0.3.8(May 13, 2022)

v0.3.7(May 12, 2022)

v0.3.6(May 9, 2022)

Owner

Corelight, Inc.

RedisJSON - a JSON data type for Redis

JsonParser - Parsing the Json file by provide the node name

No more boilerplate to check and build a Python object from JSON.

Python script for converting .json to .md files using Mako templates.

The ldap2json script allows you to extract the whole LDAP content of a Windows domain into a JSON file.

Convert your JSON data to a valid Python object to allow accessing keys with the member access operator(.)

Same as json.dumps or json.loads, feapson support feapson.dumps and feapson.loads

Marshall python objects to and from JSON

Package to Encode/Decode some common file formats to json

Ibmi-json-beautify - Beautify json string with python

Python script to extract news from RSS feeds and save it as json.

Define your JSON schema as Python dataclasses

Simple Python Library to convert JSON to XML

A fast streaming JSON parser for Python that generates SAX-like events using yajl

json|dict to python object

A python library to convert arbitrary strings representing business opening hours into a JSON format that's easier to use in code

Generate code from JSON schema files

JSONx - Easy JSON wrapper packed with features.

Convert your subscriptions csv file into a valid json for Newpipe!

Easy JSON wrapper modfied to wrok with suggestions