Zeek Logs
The Zeek Logs analysis tool makes it easy to run Zeek across your PCAP files and view the log output in CloudShark. Zeek gives you another view of your data and simplifies summarizing, extracting, and investigating the traffic in a PCAP.
Watch this video to see the Zeek Logs analysis tool in action!
CloudShark comes with several preset views designed to help cleanup and highlight some of the important data that is available in those logs. These presets help choose default columns, sorting, and filtering options.
To enter into the Zeek Logs tool, choose it from the Analysis Tools menu when viewing a capture. A dialog box presenting to you all available presets and saved views will be shown.
Clicking on a log, preset, or the Explore All Logs button will open the full-page view of the Zeek Logs analysis tool.
Main Window
The main window is broken into two sections — the sidebar, and the log-view. The sidebar shows the following:
- Any saved views that have been created by users
- A list of all the log files generated by Zeek
- All the preset views curated by CloudShark per Zeek log
Viewing a log
Clicking on any of the entries in the side bar will load that view into the main part of the page. Here, you can see the view’s name and the log file it was generated from, a description of the view, and rows and columns of data.
Row Details
Clicking on any row within the table will bring up the row-details popup. Even though it is possible to customize the columns visible in the table, the underlying data has values for all those additional columns. The row details shows you all those values.
Click prev/next in the popup to move around the table.
Pivot to the Packets
When viewing the row-details for a Zeek log that contains a uid value,
CloudShark will present a View Packets button to you in the footer of the
dialog box. Clicking on this link will open a new tab of the main
CloudShark packet window with a display filter applied that has been
built based on the connection uid from Zeek.
Searching
The table header contains a search box which will show only the rows in the table that match the string typed into the box. This is useful if you are looking for a value that may not appear exactly in a column. Partial IP addresses, OUI’s, and other parts of fields will all be partially matched without needing the full column value.
Pressing the Return key will update the table, and clicking clear removes any search terms restoring all the rows in the table.
Column Filter
When you want to filter your table based on a specific value found in the table, use the Column Filter feature.
Multiple filters together can be a great way to narrow down log entries that are important to you.
There are 2 ways to activate this feature:
1. Click on the pushpin in the column header
Hovering on a column header will make a pushpin icon appear to access the column-filters. Clicking on this icon will bring up a new dialog box containing all of the values found in the table, and counts of how many rows they appear in, as well as how many rows are currently shown that have this value.
Clicking on a row in this view toggles a filter for that value on and off. As you add and remove column filters, the counts will update – showing you which values are still visible in the filtered table.
2. Click on a table row, and use the checkboxes in the popup
Clicking on a table row will bring up the row-details view. This has a left-hand column of checkboxes that correspond to selected filters. Checking those boxes on and off will toggle column-filters for those values. You will see the table update behind the dialog box when those are changed.
This is useful when you have found a row to investigate, and want to filter on a value from that specific row.
Sorting and Paging
Sorting and paging is also available. Paging controls can be found in the table header while sorting can be controlled by clicking the small arrows in each column header.
Where possible, the datatype of the column is taken into account for searching. That means that numbers will be sorted numerically, and not alphabetically. The types are defined in the Zeek log.
Customizing Columns
Clicking on the Customize Columns table header link will bring up the column picker dialog box. Here you have access to all the columns available in the chosen log, and they can be turned on or off as you desire.
Additionally, CloudShark has added two shortcuts to help cut down on column overload. You can choose from the following presets:
- Multi-value chooses columns that have more than one value. If every row in the table for a given column is the same (including empty) it will be omitted.
- Non-Empty enables any column that is not completely empty.
Sort | Unique
Most of the Zeek log management tutorials out there have you pipe log
data to two Linux commands: sort and uniq. This gives you a very
easy way to see which rows in the output are most popular.
CloudShark has this capability built-in. When you’re customizing
columns, add the special _count column to the table. Now, your rows
will be aggregated and counted across the selected columns, giving you a
quick count of which fields appear together.
Save Your Work
After you have spent your time filtering, searching, sorting and picking the information you want to see, save it!
Clicking on the Save button in the top-right corner will bring up a dialog box allowing you to name you new view, and to leave a Markdown enabled description to accompany it. These views are saved to a special URL that you can then share with coworkers and other analysts to pick up where you left off.
History and Reset
As you go through the tool, you can use the browser’s history to switch between views, as well as use the reset link in the top-right to return your view to it’s starting point. Also, you can switch between views and not lose any changes to the one you left, but don’t reload the page without saving.
