Skip to content

endepointe/log-analysis

Repository files navigation

log-analysis

Overview

Tools such as Kibana, Wazuh, Grafana, and SecurityOnion provide excellent solutions for ingesting and visualizing data. While the benefit of such tools cannot be understated, there are times when it is helpful to have an option to examine data where resources are limited. Using zeek logs, the following demonstration project aims to provide such a solution.

Demo

Install Rust

### Install rust (if not already):
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Get Ip2location API key

  • Create an account on https://www.ip2location.io/.

  • Add your ip2location api key and the IP2LOCATION_API_KEY env variable to $CARGO_HOME/config.toml

Example config.toml:

$ cat ~/.cargo/config.toml)
[env]
IP2LOCATION_API_KEY="yourip2locationapikey"

Clone and run

### Clone repo:
$ git clone /~https://github.com/endepointe/log-analysis.git
$ cd log-analysis
$ sh decrypt.sh 

### Enter the passphrase submitted along with the challenge.
### Otherwise, use your own zeek log data (in tsv format) to demo this tool.
$ sh run.sh

### May take a minute to query ip results. 
### Presents an opportunity to solve with threading.

Usage (also See TEsTing)

  • Scroll Up/Down: ↑ / ↓
  • Change tabs: ← / →
  • Toggle menu: Esc
    • Toggle additional info: i
  • Toggle focus: Tab

TEsTing

The setup and testing will improve, bear with me. If you run into any issues, please submit an issue. I am here to help.

Tests located in tests/. Test-case addtions welcomed in PRs.

Performance

# Requires flamegraph and perf
# Repo: /~https://github.com/flamegraph-rs/flamegraph
cargo flamegraph --test <location>

Contributing

Contributions are welcome! Please submit pull requests or open issues to improve the library.

License

This project is licensed under the MIT License. See the LICENSE file for details.

About

A Zeek log analysis library implemented in Rust

Resources

Stars

Watchers

Forks

Packages

No packages published