Cisco Secure Network Analytics
Zeek Configuration Guide 7.5.3
Introduction
Use this guide to configure Cisco Secure Network Analytics (formerly Stealthwatch), v7.5.3 or later, to capture Zeek telemetry.
[info] Data Store is required with Analytics enabled to support detections using Zeek telemetry.
Overview
Zeek is primarily used as a passive network traffic analyzer which allows security teams to analyze network traffic, detect suspicious activity, and investigate potential threats by generating detailed logs of network events, including application-level details, through its protocol parsing capabilities. Zeek provides the following:
- Threat Hunting and Incident Response: By analyzing Zeek logs, security teams can identify anomalous behavior, investigate potential security incidents, and hunt for malicious activity across the network.
- Passive Mode: Because Zeek operates in a passive mode, observing network traffic without interfering with the flow, it is less disruptive to network operations.
- Detailed Logs: Zeek generates detailed logs that capture comprehensive information about network connections, including timestamps, source/destination IP addresses, ports, protocols, and even file content, facilitating thorough analysis.
- Storage: Zeek logs are stored as follows.
- Most logs are stored in the Flow Collector, but the conn.log is in Data Store.
- The Flow Collector deletes all data older than 30 days. For more details, refer to "Resource Requirements" in the Virtual Edition Appliance Installation Guide.
Requirements
Make sure Analytics is enabled. Choose Configure > Detection > Analytics from the main menu, then click Analytics On.
The requirements are as follows:
- Secure Network Analytics v7.5.3
- Data Store with Analytics enabled
Zeek telemetry is the default for new installations during First Time Setup. If you're upgrading from a previous release, you'll need to configure Zeek telemetry in Advanced Settings.
[info] You don't need to purchase a separate license for Zeek telemetry. For more information about licensing, refer to the Smart Software Licensing Guide 7.5.3.
Performance Estimate
We support 100,000 events (Syslog messages) per second on a hardware platform. For details about resource requirements, refer to the hardware installation guide. For more information about combined telemetry resource requirements, refer to the Virtual Edition Appliance Installation Guide.
There are several factors, such as event rate and number of log types being ingested, that can impact your specific performance. While we do our best to represent the data as fairly and accurately as possible, your environment may experience different limits.
Zeek Logs
We are collecting all Zeek logs via Syslog but currently focusing only on the following for detections:
- conn.log
- dce_rpc_log
- dns.log
- smb_files.log or smb_mappings.log
[info] In some instances, the dce_rpc.log and smb_files.log might be sent to the smb_mappings.log.
All Supported Zeek Logs
The following Zeek log types are supported, stored and available for reporting, within Secure Network Analytics. The log types that are also used for detections are noted in the last column of the table.
| Log File | Description | Used for Detections? |
| capture_loss | Packet loss rate | No |
| conn | TCP/UDP/ICMP connections | Yes |
| dce_rpc | Distributed Computing Environment/RPC | Yes |
| dhcp | DHCP (Dynamic Host Configuration Protocol) leases | No |
| dnp3 | DNP3 *Distributed Network Protocol 3) requests and replies | No |
| dns | DNS (Domain Name System) activity | Yes |
| dpd | DPD (Dynamic Protocol Detection) | No |
| files | File analysis results | No |
| ftp | FTP (File Transfer Protocol) activity | No |
| http | HTTP requests and replies | No |
| intel | Intelligence data matches | No |
| irc | IRC (Internet Relay Chat) commands and responses | No |
| kerberos | Kerberos | No |
| known_certs | SSL certificates | No |
| known_hosts | Hosts that have completed TCP (Transmission Control Protocol) handshakes | No |
| known_services | Services running on hosts | No |
| modbus | Modbus commands and responses | No |
| modbus_register_change | Tracks changes to Modbus holding registers | No |
| mysql | MySQL | No |
| notice | Zeek notices | No |
| ntlm | NTLM (NT LAN Manager) | No |
| ntp | NTP (Network Time Protocol) | No |
| ocsp | Online Certificate Status Protocol (OCSP) | No |
| pe | Portable Executable (PE) | No |
| radius | RADIUS authentication attempts | No |
| rdp | RDP (Remote Desktop Protocol) | No |
| rfb | Remote Framebuffer (RFB) | No |
| signatures | Signature matches | No |
| sip | SIP (Session Initiation Protocol) | No |
| smb_cmd | SMB (Server Message Block) commands | No |
| smb_files | SMB (Server Message Block) files | Yes |
| smb_mapping | SMB (Server Message Block) trees | Yes |
| smtp | SMTP (Simple Mail Transfer Protocol) transactions | No |
| snmp | SNMP (Simple Network Management Protocol) messages | No |
| socks | SOCKS proxy requests | No |
| software | Software being used on the network | No |
| ssh | SSH connections | No |
| ssl | SSL/TLS handshake information | No |
| syslog | Syslog messages | No |
| traceroute | Traceroute detection | No |
| tunnel | Tunneling protocol events | No |
| weird | Unexpected network-level activity | No |
| x509 | X.509 certificate information | No |
Format for Zeek Logs
Make sure Zeek logs are configured to be exported by Syslog as JSON in the specified format.
- Transport: Zeek logs use the JSON format over Syslog over UDP (9514 is the default port).
- Format: Zeek log generator must add the
zeek_filename="xxx.log"tag before the JSONL string for the Flow Collector.
Configuring the Flow Collector to Ingest Zeek Telemetry
These are the two options for configuring Zeek telemetry in Secure Network Analytics:
- First Time Setup: Zeek telemetry is the default for new installations, but you can Confirm Zeek Telemetry During First Time Setup (Data Store Only).
- Advanced Settings: When you're upgrading from a previous release, you'll need to Configure Zeek Telemetry in Advanced Settings.
[info] For more information about configuring Secure Network Analytics, refer to the System Configuration Guide.
Confirm Zeek Telemetry During First Time Setup (Data Store Only)
To enable ingest of Zeek telemetry on a new Flow Collector with Data Store, complete the following steps:
- Follow the instructions in the applicable appliance installation guide for your Flow Collector. Then, use the System Configuration Guide for more detailed instructions on appliance configuration of multiple telemetry types.
- Access the virtual machine console. Allow the virtual appliance to finish booting up.
- Log in through the console.
- Login: sysadmin
- Default Password: lan1cope
[info] You'll typically change the default password when you configure the system for the first time.
4. Review the failed login attempts information. Select OK to continue. (This step refers to a console output showing login information, indicating no failed attempts and the last login time.)
5. Review the First Time Setup introduction. Select OK to continue. (This step refers to a console message welcoming the user to the First Time Setup wizard, estimating completion time.)
6. Select Zeek Logs from the list of telemetry types. Select OK to continue. (This step refers to a console screen listing telemetry types like NetFlow, Firewall Logs, and Zeek Logs, with checkboxes indicating selection status.)
[info] All telemetry types are selected by default in a new deployment. If you're upgrading to v753 from a previous release, refer to Configure Zeek Telemetry in Advanced Settings.
7. Confirm the port for Zeek Logs is 9514, then select OK. (This step refers to a console screen showing configured UDP ports for various telemetry types, confirming 9514 for Zeek Logs.)
We recommend you use Port 9514. Do not use Ports 514, 2030, 2055, 8514, or 8515.
[warning] Make sure your telemetry ports are unique. If you configure duplicate telemetry ports, the ports will be reset to their internal defaults to avoid loss of flow data. For example, if NetFlow and Zeek are exported to the same telemetry port, each device exporting Zeek data will create an exporter on the Flow Collector and exhaust the exporter resources in the Flow Collector engine, resulting in loss of flow data.
8. Click Apply to save your changes.
9. Follow the on-screen prompts to finish the virtual environment and restart the appliance.
Configure Zeek Telemetry in Advanced Settings
To begin ingesting Zeek telemetry on a Flow Collector that has already been configured, complete the following steps:
- Log in to your Manager.
- From the main menu, select Configure > Global > Central Management.
- On the Inventory page, click the [ellipsis icon] for your Flow Collector, then select View Appliance Statistics. The Flow Collector Admin interface opens.
- Select Support > Advanced Settings.
[info] If a field is not shown, click the Add New Option field. For more information about editing advanced settings on the Flow Collector, refer to the Advanced Settings Help topic.
5. In the enable_zeek field, set the value to 1 to capture Zeek telemetry. [info] Make sure you've configured Zeek to forward logs in JSON format.
6. Confirm the value is set to 9514 in the zeek_port field.
Verifying Zeek Telemetry
To verify Zeek telemetry is being captured, review the Zeek Log Collection Trend report:
- Log in to your Manager.
- From the main menu, select Report > Report Builder.
- Click Create New Report, then select Zeek Log Collection Trend.
- Click Run.
- Review the report to confirm that Zeek telemetry is being collected.
Zeek Log Collection Trend Report
The following samples of the Zeek Log Collection Trend Report show Zeek telemetry successfully being captured.
Report Sample 1
This report sample provides a one-hour view.
The report displays a bar chart showing "Event Bytes Per Period" over a one-hour time range. The Y-axis represents event bytes, ranging from 0 to 1.14M. The X-axis shows time intervals from approximately 09:40 PM to 10:39 PM.
Report Sample 2
This report sample provides a 12-hour view.
The report displays a bar chart showing "Event Bytes Per Period" over a 12-hour time range. The Y-axis represents event bytes, ranging from 0 to 117.19K. The X-axis shows time intervals from approximately 02:00 PM to 01:00 AM.
[info] For more information about reports, click the [Help] icon to access the Report Builder Help topic.
Evaluating Zeek Events
There are two additional reports available to help you evaluate Zeek events:
- Zeek Database Ingest Trend Report
- Zeek Logs Report
Make sure you have Data Store and Analytics is enabled.
[info] To enable Analytics, choose Configure > Detection > Analytics from the main menu, then click Analytics On.
Zeek Database Ingest Trend Report
To evaluate the Zeek conn.log events being written to your Data Store, do the following:
- Log in to your Manager.
- From the main menu, select Report > Report Builder.
- Click Create New Report, then select Zeek Database Ingest Trend.
- Click Run.
- Review the report:
- Is the Data Store receiving Zeek conn.log events?
- Were there any interruptions?
Report Sample
This sample provides a 12-hour view.
The report displays a bar chart showing "Records Written" as "Event Bytes Per Period" or "Event Count Per Period" over a 12-hour time range. The Y-axis represents records written, ranging from 0 to 14K. The X-axis shows time intervals from approximately 10:00 AM to 09:00 PM.
Zeek Logs Report
Make sure your Flow Collector is configured to receive data from Zeek. For instructions, refer to the System Configuration Guide.
To review the Zeek telemetry logging events for a specific Zeek log type for a Flow Collector, do the following:
You can run up to four Zeek log queries concurrently with additional queries waiting in a queue.
- Log in to your Manager.
- From the main menu, select Report > Report Builder.
- Click Create New Report, then select Zeek Logs.
- Specify parameters in the required fields in the General area.
| Parameter | More Information |
| Time Range | If you choose Custom, select a short time range for maximum performance. If you enter a long time range, the report may take a long time to query the data. |
| Flow Collector | Select a Secure Network Analytics Flow Collector in your network. |
| Max Records | Select the maximum number of records. The limit is 10,000 records. |
| Zeek Log Type | Select a Zeek Log Type. |
[info] Selecting a log other than conn.log in the Zeek Log Type field may cause the report to run long, but it must run to completion.
5. Use the Filter area to specify additional parameters, if needed.
6. Click Run.
Report Sample
Optional parameters were selected when creating this report sample.
The report displays a table of Zeek log entries. Columns include timestamp, UID, ID.orig_h, ID.orig_p, ID.resp_h, ID.resp_p, proto, AA, TC, TY. The table shows sample data for several log entries, with timestamps around 7/16/2025 9:54 PM.
[info] To receive data on this report, you need Secure Network Analytics with a Data Store deployment. For information and instructions, refer to the Appliance Installation Guide (Hardware or Virtual Edition) and the System Configuration Guide.
Contacting Support
If you need technical support, please do one of the following:
- Contact your local Cisco Partner
- Contact Cisco Support
- To open a case by web: http://www.cisco.com/c/en/us/support/index.html
- For phone support: 1-800-553-2447 (U.S.)
- For worldwide support numbers: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Change History
| Document Version | Published Date | Description |
| 1_0 | August 6, 2025 | Initial version. |
| 1_1 | August 19, 2025 | Added the All Supported Zeek Logs section. |
Copyright Information
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Support - Cisco Support, Documentation, and Downloads - Cisco
