Problems about zeek-agent on Linux
byamao1 opened this issue · comments
When I use zeek-agent, I have some problems.
This is my enviroment:
CentOS Linux release 7.8.2003
OSquery 4.2.0
zeek 3.0.12
zeek-agent 1.0.2
zeek-agent-framework 0.4
My work:
- installed zeek, OSquery, zeek-agent, zeek-agent-framework successfully
- config zeek-agent
{
"server_address": "127.0.0.1",
"server_port": 9999,
"log_folder": "/var/log/zeek",
"max_queued_row_count": 5000,
"osquery_extensions_socket": "/var/osquery/osquery.em",
"group_list": []
} - config /opt/zeek/share/zeek/site/local.zeek , add this at the end:
@load zeek-agent - config /opt/zeek/share/zeek/site/zeek-agent/load.zeek , add this at the end:
@load ./examples/auditd - start auditd service, start osqueryd
- start zeek-agent
sudo zeek-agent - start zeekctl
zeekctl deploy
zeekctl
[ZeekControl] > start
Everything is right. I could find logs in /opt/zeek/logs/current:
broker.log conn.log dns.log ntp.log stats.log stdout.log zeek-agent.log
capture_loss.log dhcp.log loaded_scripts.log packet_filter.log stderr.log weird.log
but I can't see any log name starting with "agent_" , such as: agent_socket_events.log agent_process_events.log (from vZW20 - Day 2 - Zeek Agent: Correlating Host & Network Logs for Better Forensics - Wajih Ul Hassan).
My questions:
- Was there any wrong in my actions?
- Where are agent_socket_events.log agent_process_events.log?
- What is the relation between virtual tables and "agent_*.log" ?
- Virtual tables are stored in sqlite or osquery?
Thank you very much!