Converting Zeek Data to Argus

[openargus]

We added json formatted Zeek conn.log conversion to argus binary flow records in argus-clients-3.0.8.4. Initial testing looks really good. Data reduction is around 2.5-3.0:1 which is really good, and searching, sorting, filtering, labeling, metadata enhancement, aggregation, database insertions etc ... are all really snappy.

The strategy is that the raconvert.1 mapping configuration deals with all the fields, and for those that don't have native argus types, you can put the zeek key,value pairs into the argus metadata label. All argus clients support regex searching in metadata, and argus aggregation handles merging flow labels together, so that you can do very interesting analytics now with zeek conn.log data.

We haven't found any problems converting any zeek conn.log file so far, but the more testing the better. If you have some zeek conn.logs laying around, try converting them with raconvert.1 and the provided raconvert.zeek.conf file that's in the distribution. Any results are good results, but if you have problems post here or to the argus email address.

[openargus]

Testing has gone well, and we haven't had any bug reports. The test will be if this strategy works for other formats ... onto Google VPC !!!