Building Zeek on Raspbian

The Zeek project now has prebuilt ARM binaries that can be installed directly from the repos. 

Building Zeek on Raspbian

Now that we have filebeat installed, let’s use zeek/bro to generate some logs.

This write up assumes the same file path used in my last post.  If you are not using Raspbian and following along you might need to change some file paths to match your system.

Install zeek module for filebeat

First we need to install the Zeek module, for some reason it is not installed when building filebeat from github.  The module is a collection of configuration files so we can pull it from one of the filebeat packages.  For this write up I will use the filebeat for Windows download.

Inside the zip archive we want the \module\zeek folder

Copy it to /usr/share/filebeat/module
chown -R root:root /usr/share/filebeat/*

Configure zeek module

sudo nano /etc/filebeat/filebeat.yml

{paste below into the modules section}

filebeat.modules:

- module: zeek

    #All logs

  connection:

    enabled: true

    var.paths: ["/usr/local/zeek/logs/current/conn.log"]

  dns:

    enabled: true

    var.paths: ["/usr/local/zeek/logs/current/dns.log"]

  http:

    enabled: true

    var.paths: ["/usr/local/zeek/logs/current/http.log"]

  ssl:

   enabled: true

   var.paths: ["/usr/local/zeek/logs/current/ssl.log"]

{end paste}

Let restart filebeat

sudo service filebeat restart

Build zeek

So Bro 2.5.5 is available in the Raspbian repository.  While it works it is getting old and the GeoIP database it uses is no longer supported.  Instead of downloading the current stable or latest RC let’s go all out and build the current dev version from github.  Why not I like pain…

First let’s go home. 

cd $HOME

We got some downloading to do so lets just get it all going.

git clone --recursive https://github.com/zeek/zeek

git clone https://github.com/zeek/zeekctl.git

git clone https://github.com/zeek/pysubnettree.git

We need a few more packages we need before we start building.

Needed for GeoIP, building zeek on a Raspberry PI 4 4GB that’s a long time, if this is missing it will build just no GeoIP support.  Even if you don’t need it right now you might as well add it.

sudo apt -y install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev 
sudo apt -y install libmaxminddb-dev python-setuptools

cd $HOME/zeek

This will take a while….

./configure && make && sudo make install

Enable json logs for zeek

sudo nano /usr/local/zeek/share/zeek/site/local.zeek

{Paste this at the end}

# Output to JSON

@load policy/tuning/json-logs.zeek

{end paste}

Now lets build pysubnettree
cd $HOME/pysubnettree
sudo python setup.py install

Now lets build zeekctl
cd $HOME/zeekctl
sudo cp -r $HOME/zeek/cmake/ $HOME/zeekctl/
./configure && make && sudo make install

sudo zeekctl

Install

Deploy

Stop

Exit

Configure zeek

Building Filebeat 8 on Rasbian

Filebeat now has prebuilt ARM binaries that can be installed directly from the repos. 

First I want to thank Michael Blouin and Michael Ross for their posts that largely guided me through figuring this out.
For this guide I will be using Raspbian Buster Lite 2019-07-10.  On a Raspberry Pi 4 4GB(this guide won't work on units with 1 GB of ram), you will need sudo access and please remember to change the password for 'pi' or better create a new user and remove 'pi'.
Installing Go 1.12.9, that latest build I could find for ARM
Building Elastic filebeat 8.0.0, the current version on github right now

Prep

We are going to need git.  It is not on Raspbian Lite out of the box.
sudo apt -y install git

Uninstall Go

We will want to remove any older versions.  Currently 1.11 is installed on Raspbian and doesn't support some features that are needed for filebeat 8.0.0.
sudo which go && sudo rm -rf /usr/bin/go* /usr/local/go

Install Go

At the time of this writing 1.12.9 was the newest version of Go I could find already built for ARM.  Why build it from source if we don't need to.
cd $HOME/
wget https://dl.google.com/go/go1.12.9.linux-armv6l.tar.gz
sudo tar -C /usr/local -xzf go1.12.9.linux-armv6l.tar.gz
export PATH=$PATH:/usr/local/go/bin
export GOPATH=$HOME/go
go version
go clean -cache

Download beats source

Lets download the latest beats source 8.0.0 at the time of this write up.
mkdir -p $HOME/go/src/github.com/elastic/
cd $HOME/go/src/github.com/elastic/
git clone https://github.com/elastic/beats

Build filebeat

cd beats/filebeat/
sudo su
export PATH=$PATH:/usr/local/go/bin
export GOPATH=/home/pi/go
make
./filebeat version
exit

Install filebeat

Nope, no nice .deb file here but it is easy to manually install.
sudo mkdir /usr/share/filebeat /usr/share/filebeat/bin /etc/filebeat /var/log/filebeat /var/lib/filebeat
sudo mv filebeat /usr/share/filebeat/bin
sudo mv module /usr/share/filebeat/
sudo mv modules.d/ /etc/filebeat/
sudo cp filebeat.yml /etc/filebeat/
sudo chmod 750 /var/log/filebeat
sudo chmod 750 /etc/filebeat/
sudo chown -R root:root /usr/share/filebeat/*

Create filebeat Service

Now that we have filebeat installed we will want to create a system service so we can manage it like any other service.
sudo nano /lib/systemd/system/filebeat.service
{paste}
[Unit]

Description=filebeat
Documentation=https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Wants=userwork-online.target
After=network-online.target
[Service]
ExecStart=/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
Restart=always
[Install]
WantedBy=multi-user.target

{end paste}
Save and close out of Nano
Ctrl+x
Y
enter

sudo systemctl enable filebeat.service
sudo service filebeat start
sudo service filebeat status

Now we have filebeat working!  Time to configure /etc/filebeat/filebeat.yml for your log files and destination host.

Clean up

If everything is working we can do a bit of cleanup.
cd $HOME
rm $HOME/go1.12.9.linux-armv6l.tar.gz

sudo rm -rf $HOME/go