#创建data目录,以下操作都在data目录进行
mkdir /data
#安装libmaxminddb插件
yum -y install install autoconf automake libtool git
git clone --recursive https://github.com/maxmind/libmaxminddb
cd libmaxminddb
./bootstrap
./configure
make
make check
make install
ldconfig
#安装zeek
yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel
wget https://github.com/zeek/zeek/releases/download/v3.0.6/zeek-3.0.6.tar.gz
tar -zxvf zeek-3.0.6.tar.gz
mv zeek-3.0.6.tar.gz /data/zeek
cd zeek
./configure & make & make install
#配置zeek
[root@localhost etc]# pwd
/usr/local/zeek/etc
[root@localhost etc]# ls
networks.cfg node.cfg zeekctl.cfg
[root@localhost etc]# cat node.cfg
······
[zeek]
type=standalone
host=localhost
interface=ens224 ##修改为需要监控的网卡名称
······
##启动zeek
[root@localhost bin]# pwd
/usr/local/zeek/bin
[root@localhost bin]# ./zeekctl
Welcome to ZeekControl 2.0.0
Type “help” for help.
[ZeekControl] > install #第一次启动需要安装
removing old policies in /usr/local/zeek/spool/installed-scripts-do-not-touch/site …
removing old policies in /usr/local/zeek/spool/installed-scripts-do-not-touch/auto …
creating policy directories …
installing site policies …
generating standalone-layout.zeek …
generating local-networks.zeek …
generating zeekctl-config.zeek …
generating zeekctl-config.sh …
[ZeekControl] > start
[ZeekControl] > stop
[ZeekControl] > exit
##日志查看路径
[root@localhost current]# pwd
/usr/local/zeek/logs/current
##修改日志类型为josn
[root@localhost site]# pwd
/usr/local/zeek/share/zeek/site
[root@localhost site]# ls
local.zeek
#在配置文件底部添加如下内容
[root@localhost site]# cat local.zeek
····
@load tuning/json-logs
redef LogAscii::json_timestamps = JSON::TS_ISO8601;
redef LogAscii::use_json = T;
······
展示图