Skip to content

stefanDeveloper/zeek-fluvio

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
.github/workflows
.github/workflows
 
 
scripts/Zeek/Fluvio
scripts/Zeek/Fluvio
 
 
src
src
 
 
tests
tests
 
 
CMakeLists.txt
CMakeLists.txt
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
configure
configure
 
 
zkg.meta
zkg.meta
 
 

Repository files navigation

Zeek-Fluvio Plugin

A high-performance Zeek log writer plugin that bridges telemetry payloads seamlessly into Fluvio streams. Built natively on the Fluvio C++ Client, this plugin ensures low-latency data ingestion for security operations and network analysis.

🚀 Features

  • Native C++ Performance: Leverages the official Fluvio C++ SDK for high-throughput log shipping.
  • Selective Log Streaming: Fine-grained control over which logs are sent to Fluvio via Zeek scripts.
  • Automatic Topic Mapping: Dynamically maps Zeek log streams (e.g., conn, dns, http) to Fluvio topics.
  • TLS Support: Programmatic mTLS authentication support for secure data pipelines.

🛠️ Installation

Using Zeek Package Manager (zkg)

The easiest way to install the plugin is via zkg:

zkg install zeek-fluvio

Manual Build

If you prefer to build from source:

git clone https://github.com/infinyon/zeek-fluvio
cd zeek-fluvio
./configure --zeek-dist=/path/to/zeek/source
make -C build
sudo make -C build install

Note

The build system uses FetchContent to automatically download the correct version of the Fluvio C++ client for your architecture.

⚙️ Configuration

The plugin is configured via the Fluvio module in Zeek. Add the following to your local.zeek or custom policy scripts:

Basic Setup

To send all active Zeek logs to Fluvio:

redef Fluvio::send_all_active_logs = T;

Selective Logging

To send only specific logs (e.g., Connection and DNS logs):

redef Fluvio::logs_to_send = set(Conn::LOG, DNS::LOG);

Excluding Logs

To exclude sensitive logs from being streamed:

redef Fluvio::logs_to_exclude = set(Software::LOG);

Options Reference

Option Type Default Description
Fluvio::send_all_active_logs bool F If T, sends every active log stream to Fluvio.
Fluvio::logs_to_send set[Log::ID] {} Explicit set of logs to ship.
Fluvio::logs_to_exclude set[Log::ID] {} Logs that should never be sent to Fluvio.
Fluvio::default_topic_name string "" Overrides the default topic mapping (uses log path if empty).

🏗️ Architecture

The plugin implements a custom Log::Writer called FLUVIOWRITER. When a log record is written in Zeek, the plugin:

  1. Formats the record as JSON.
  2. Identifies the target Fluvio topic (defaulting to the log's path).
  3. Asynchronously dispatches the payload to the Fluvio SPU clusters.

About

A Zeek log writer plugin that publishes to Fluvio.

Topics

security zeek zeek-package fluvio zeek-fluvio

Resources

Readme

License

Apache-2.0 license
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages