Zeek Configuration

CloudShark uses Zeek to generate the logs for the Zeek Logs analysis tool. This guide explains how to configure Zeek and add additional packages to extend its functionality.

Configuration

Zeek includes a single script for local customizations. This file is located at /usr/cloudshark/share/zeek/site/local.zeek and you can edit this file to configure Zeek.

It is recommended to set the Site::local_nets variable with a list of subnet ranges to configure Zeek to distinguish which networks are local. By default IANA-registered private address space networks such as 10.0.0.0/8 are included automatically. To configure Zeek to consider the 1.2.3.0/24 and 5.6.7.0/24 subnets as local add the following line to local.zeek:

Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 };

For more information on Zeek can be configured, see the following guides from the Zeek documentation. Where you see ZeekControl mentioned, CloudShark does not run Zeek with ZeekControl:

• Local Site Customization
• Telling Zeek Which Scripts to Load
• Popular Customizations
• Zeek Package Index

Zeek Packages

Additional packages for Zeek can be installed using the zkg package manager. To run zkg you can use the command:

/usr/cloudshark/bin/zkg -h

You can browse the available packages on this site or run /usr/cloudshark/bin/zkg search <search_text>. Once you have found a package you would like to install run the command:

/usr/cloudshark/bin/zkg install <package>

Cache

CloudShark caches the log files generated by Zeek. After modifying the configuration or adding additional packages. Users will have to use the Regenerate Logs button to run the Zeek Logs analysis tool with the updated configuration and packages.