Monitor multiple interfaces with Zeek on FreeBSD
Introduction
This is the fifth blog post in a series of posts about running Zeek on FreeBSD. The 4 previous posts are:
- Implement Zeek on FreeBSD
- Run Zeek as user zeek on FreeBSD
- First Zeek queries on FreeBSD
- Install Zeek packages on FreeBSD
In the first post of this series we have configured Zeek to monitor only one network interface. But Zeek can also monitor multiple network interfaces. In this post we explain how to change the Zeek configuration to monitor multiple interfaces.
Technical prerequisites
The following technical (minimal) prerequisites have to be in place to be able to implement what is described in this post:
- have Zeek implemented as desribed in Implement Zeek on FreeBSD
- have installed the Zeek Package Manager as described in Install Zeek packages on FreeBSD
Add a Zeek package
Before we change the Zeek configuration we install another Zeek Package:
$ sudo -i # zkg install zeek/j-gras/add-interfaces
This package adds a field called _interface to the Zeek log file conn.log. IF required you can add this field to any (other) Zeek log file by changing the configuration of the zeek/j-gras/add-interfaces package.
Change the Zeek configuration
The Zeek configuration file node.cfg needs to change for Zeek to monitor more than 1 network interface. The node.cfg from the first blog post in this series looks like (see Implement Zeek on FreeBSD):
[zeek] type=standalone host=localhost interface=em1
Now we still want to use 1 server running Zeek, but want to use multiple interfaces to monitor network traffic. In the example below we use 3 network interfaces (em1, em2 and em3):
[logger] type=logger host=localhost [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=em1 [worker-2] type=worker host=localhost interface=em2 [worker-3] type=worker host=localhost interface=em3
Enable the changes
To enable the above change we have to deploy this new configuration again with the following commands:
$ sudo service zeek stop $ sudo service zeek deploy
And we are done!
Wrap up
This is the fifth blog post in a series of posts about Zeek on FreeBSD. And this is for now the last one.
Resources
Some (other) resources about this subject: