CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
26619e5f8d91c260a4f8b310fc912bcc09295bb8
securityonion/salt/zeek/soc_zeek.yaml
bryant-treacle 57d90a62f7 Update soc_zeek.yaml
2023-04-27 16:21:41 -04:00

58 lines
2.9 KiB
YAML
Raw Blame History

zeek:
logging:
enabled:
description: This is a list of Zeek logs that will be shipped through the pipeline. If you remove a log from this list, it will still persist on the sensor.
helpLink: zeek.html
config:
local:
load:
description: Contains a list of policies and scripts loaded by Zeek. Values in the Current Grid Value dialog box apply to every instance of Zeek. Values in a dialog box for a specific node will only apply to that node.
forcedType: "[]string"
helpLink: zeek.html
load-sigs:
description: Contains a list of signatures loaded by Zeek. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node.
forcedType: "[]string"
helpLink: zeek.html
redef:
description: List of Zeek variables to redefine. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node.
forcedType: "[]string"
advanced: True
helpLink: zeek.html
node:
lb_procs:
description: Contains the number of CPU cores or workers used by Zeek. This setting should only be applied to individual nodes and will be ignored if CPU affinity is enabled.
title: workers
helpLink: zeek.html
node: True
pins_enabled:
description: Enabling this setting allows you to pin Zeek to specific CPUs.
title: cpu affinity enabled
forcedType: bool
helpLink: zeek.html
node: True
advanced: True
pins:
description: Contains a list of specific CPU cores pinned to Zeek workers. To set the CPU affinity, enter the processor ID number in the dialog box for the desired node. To retrieve the processor ID numbers, run the command "cat /proc/cpuinfo | grep processor" on the desired node. Please note that this setting should only be applied to individual nodes.
title: cpu affinity
multiline: True
forcedType: "[]string"
helpLink: zeek.html
node: True
advanced: True
zeekctl:
CompressLogs:
description: This setting enables compression of Zeek logs. If you are seeing packet loss at the top of the hour in Zeek or PCAP you might need to disable this by seting it to 0. This will use more disk space but save IO and CPU.
helpLink: zeek.html
policy:
custom:
filters:
conn:
description: Conn Filter for Zeek. This is an advanced setting and will take further action to enable.
helpLink: zeek.html
file: True
global: True
advanced: True
file_extraction:
description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENTION"}
helpLink: zeek.html
Reference in New Issue View Git Blame Copy Permalink