Zeek Log Transport¶
Before proceeding, you should have:
- AC-Hunter installed and running (see AC-Hunter Installation)
- Zeek deployed and generating logs on the sensor host (see Zeek Configuration)
Zeek sensors write logs locally; for AC-Hunter to import them, those logs must be delivered to the AC-Hunter server via SFTP. The recommended approach is to use ZeekShip, a lightweight agent that runs alongside Zeek and automatically ships rotated log files to AC-Hunter.
There are three ways to get Zeek logs to your AC-Hunter server, listed from most recommended to least:
- ZeekShip as a Docker container (recommended): best when Docker is available (e.g., you are running the AC-Hunter docker-based Zeek install)
- ZeekShip as a system service: best for standalone Zeek installs without Docker
- Manual SSH/SFTP transport: last resort only
Running a Corelight sensor?
Corelight sensors ship Zeek logs with their own built-in SFTP export rather than ZeekShip. See Corelight SFTP Export for how to point that export at the AC-Hunter SFTP receiver.
Setup Overview¶
Setting up log transport involves work on two machines (the Zeek sensor and the AC-Hunter server) in the following order:
- Open firewall ports on the AC-Hunter server (see Firewall Requirements)
- Install ZeekShip on the Zeek sensor (see ZeekShip Docker Install or ZeekShip Service Install); the installer generates an SSH key pair
- Copy ZeekShip's public key to the AC-Hunter server and start the SFTP receiver (see Enabling the AC-Hunter SFTP Receiver)
- Configure and start ZeekShip on the sensor to begin shipping logs
The sections below follow this order. Each ZeekShip install section will direct you back to the receiver setup at the right time.
Firewall Requirements¶
The AC-Hunter server must be reachable from your Zeek sensors on the port used for log transport. Which port depends on your transport method:
| Direction | Port | Protocol | Purpose |
|---|---|---|---|
| Inbound to AC-Hunter | 2222 | TCP | SFTP log receiver (ZeekShip and containerized SFTP, recommended) |
| Inbound to AC-Hunter | 22 | TCP | Direct SSH/SCP/SFTP to the host (manual transport only) |
Confirm that any host-based firewalls (e.g. firewalld, ufw, iptables) and network firewalls between the sensor and AC-Hunter server allow the relevant port before proceeding with the ZeekShip or SFTP setup below.
ZeekShip Docker Install¶
This is the recommended method for getting Zeek logs to AC-Hunter. If Docker is available on the Zeek sensor host (for example, if you are running the AC-Hunter docker-based Zeek install), you can run ZeekShip as a Docker container.
Install¶
The ZeekShip Docker installer is included in the download bundle (see Download the Install Bundle). Copy it to the Zeek sensor host, then extract and run the installer:
The installer will:
- Load the ZeekShip Docker image
- Place
docker-compose.ymland the default config at/etc/zeekship/ - Generate an SSH key pair at
/var/lib/zeekship/keys/ - Place the
zeekshipscript in/usr/local/bin
Important
The installer prints the public key at the end of installation. Copy this key; you need it for the next step.
Next: Before configuring or starting ZeekShip, switch to the AC-Hunter server and complete Enabling the AC-Hunter SFTP Receiver. Add the public key you just copied and bring up the SFTP receiver. Then come back here to configure and start ZeekShip.
Configure¶
Edit the config file and set the AC-Hunter server address:
At minimum, set sftp.host to the IP or hostname of your AC-Hunter server. You should also set sensor_name to identify this sensor — if left blank, ZeekShip will use the machine's hostname, which may not produce a useful name inside a Docker container.
{
"sensor_name": "zeek_hq_01" // optional; defaults to hostname if blank
"sync": {
"logs_root": "/opt/zeek/logs" // verify this matches your Zeek logs directory
},
"sftp": {
"host": "ach.example.com" // set to your AC-Hunter server IP or hostname
}
}
Important
The sensor_name must start with a lowercase letter, be 3–63 characters long, and contain only lowercase letters, numbers, and underscores.
Start¶
Verify¶
Upgrade¶
Re-run the installer with a newer release. Existing config and keys are preserved.
Uninstall¶
ZeekShip Service Install¶
For hosts running Zeek natively without Docker, ZeekShip can be installed as a systemd service that continuously watches your Zeek log directories and uploads rotated logs to AC-Hunter over SFTP.
Install¶
The ZeekShip service installer is included in the download bundle (see Download the Install Bundle). Copy it to the Zeek sensor host, then extract and run the installer:
The installer will:
- Install the
zeekshipbinary to/usr/local/bin/zeekship - Create a default config at
/etc/zeekship/config.hjson - Generate an SSH key pair at
/var/lib/zeekship/keys/ - Install and enable the
zeekshipsystemd service
Important
The installer prints the public key at the end of installation. Copy this key; you need it for the next step.
Next: Before configuring or starting ZeekShip, switch to the AC-Hunter server and complete Enabling the AC-Hunter SFTP Receiver. Add the public key you just copied and bring up the SFTP receiver. Then come back here to configure and start ZeekShip.
Configure¶
Edit the config file and set the AC-Hunter server address:
At minimum, set sftp.host to the IP or hostname of your AC-Hunter server. You should also set sensor_name to identify this sensor — if left blank, ZeekShip will use the machine's hostname.
{
"sensor_name": "zeek_hq_01" // optional; defaults to hostname if blank
"sync": {
"logs_root": "/opt/zeek/logs" // verify this matches your Zeek logs directory
},
"sftp": {
"host": "ach.example.com" // set to your AC-Hunter server IP or hostname
}
}
Important
The sensor_name must start with a lowercase letter, be 3–63 characters long, and contain only lowercase letters, numbers, and underscores.
The default config reference is available at /etc/zeekship/config.hjson.default.
Start¶
Verify¶
You should see ZeekShip connecting to the AC-Hunter server and beginning to upload logs.
Key Config Options¶
| Setting | Default | Description |
|---|---|---|
sftp.host |
(required) | AC-Hunter server IP or hostname |
sftp.port |
2222 |
SFTP port on AC-Hunter |
sync.logs_root |
/opt/zeek/logs |
Path to Zeek's log directory |
sync.backfill_days |
3 |
Days of log history to keep synced |
sync.scan_interval_minutes |
5 |
How often to scan for new files |
Upgrade¶
Re-run the installer with a newer release. Existing config and SSH keys are preserved:
Uninstall¶
Enabling the AC-Hunter SFTP Receiver¶
Changed from previous versions
Previous versions of AC-Hunter shipped Zeek logs over the standard SSH port (22). While this approach can still work (see Option B: Direct SSH), it is no longer recommended. The dedicated SFTP receiver on port 2222 provides better isolation and is the default for all current ZeekShip configurations.
Before any sensor can ship logs, you must enable the SFTP receiver on the AC-Hunter server. This runs as an optional Docker service managed by the hunt command.
Starting the Receiver¶
- Add the sensor's public key to the AC-Hunter server. Use the public key that was printed at the end of the ZeekShip installation (also available at
/var/lib/zeekship/keys/zeekship_ed25519.pubon the sensor). Copy it to the AC-Hunter server:The receiver requires at least one# Create a file named after this sensor (any name ending in .pub) sudo cp zeekship_ed25519.pub /etc/AC-Hunter/sftp/public_keys/sensor01.pub.pubkey file before it will start. - Start the remote-logs service:
- Verify it is running:
Note
To add additional sensors later, copy each sensor's public key to /etc/AC-Hunter/sftp/public_keys/ as a new .pub file (e.g., sensor02.pub) and restart the receiver with hunt remote-logs restart.
Next: Return to your ZeekShip install section (Docker or Service) to configure and start ZeekShip.
Managing the Receiver¶
| Command | Description |
|---|---|
hunt remote-logs up -d |
Start the receiver (detached) |
hunt remote-logs down |
Stop the receiver |
hunt remote-logs restart |
Restart the receiver |
hunt remote-logs status |
Show receiver status |
Once enabled, the receiver will automatically restart with hunt up and hunt restart.
Corelight SFTP Export¶
Corelight sensors already produce Zeek-format logs and ship them with their own built-in SFTP export, so you do not install ZeekShip on a Corelight sensor. Instead, point Corelight's export at the AC-Hunter SFTP receiver — from AC-Hunter's perspective, Corelight is just another sensor delivering logs over port 2222.
On the AC-Hunter server¶
This is the same setup as for any sensor (see Enabling the AC-Hunter SFTP Receiver):
- Add Corelight's export public key to the AC-Hunter server:
- Start the receiver:
In Corelight's export configuration¶
Point the export at your AC-Hunter server with these settings:
| Setting | Value |
|---|---|
| Host | Your AC-Hunter server IP or hostname |
| Port | 2222 |
| User | zeekdrop |
| Auth | SSH key (the key whose public half you added above) |
| Format | JSON, gzipped |
| Destination | Under /upload, laid out as /upload/<sensor_name>/YYYY-MM-DD/ |
Common Issues
- The receiver is strict about how Corelight connects. It accepts only user
zeekdrop, on port2222, with SSH key authentication (no password). Corelight's export has to match all three or the connection will be refused. - The on-disk layout has to match exactly. AC-Hunter groups logs by
<sensor_name>/YYYY-MM-DD/folders and by Zeek filename prefix (conn*,dns*,http*,ssl*). If Corelight's export lands files in a different shape, the importer will not group them by sensor and day correctly.
After the export is running, confirm logs are arriving in the AC-Hunter UI for the sensor name you configured.
Manual SSH/SFTP Transport¶
Warning
This method is not recommended. Use ZeekShip whenever possible. Manual transport is harder to maintain, lacks automatic retry and backfill, and is more error-prone.
If you cannot use ZeekShip, you can set up your own mechanism to deliver Zeek logs to AC-Hunter. There are two options:
Option A: Use the AC-Hunter SFTP Receiver (port 2222)¶
This uses the containerized SFTP receiver described in Enabling the AC-Hunter SFTP Receiver.
- The AC-Hunter SFTP receiver must be running
- Connect via SFTP to port 2222 on the AC-Hunter server
- Authenticate as user
zeekdropusing SSH key authentication - Upload logs to the
/uploaddirectory
Logs must be organized by date under the upload directory:
For example:
/upload/zeek_hq_01/2026-03-05/conn.12:00:00-13:00:00.log.gz
/upload/zeek_hq_01/2026-03-05/dns.12:00:00-13:00:00.log.gz
Example session:
sftp -P 2222 -i /path/to/private_key [email protected]
sftp> cd /upload
sftp> mkdir my_sensor
sftp> cd my_sensor
sftp> mkdir 2026-03-05
sftp> cd 2026-03-05
sftp> put *.log.gz
Option B: Direct SSH to the AC-Hunter Host (port 22)¶
If you do not want to use the SFTP receiver container at all, you can transfer logs directly to the AC-Hunter host using standard SSH/SCP/SFTP on port 22. The logs simply need to land in the correct directory on the AC-Hunter server:
For example:
scp *.log.gz [email protected]:/opt/zeek/remotelogs/my_sensor/2026-03-05/
This requires that you have standard SSH access to the AC-Hunter host and appropriate filesystem permissions. The SFTP receiver container does not need to be running for this method.
Option C: Other Transport Methods¶
Any mechanism that delivers Zeek logs to the AC-Hunter server will work, as long as the files end up in the correct directory:
Examples include mounting an S3 bucket, using a log shipper like Vector, rsync, or any other file transfer tool. The directory structure and file format must match what Zeek produces.
Unsupported configuration
Custom transport methods beyond ZeekShip and the AC-Hunter SFTP receiver are not covered by Active Countermeasures technical support. You are responsible for configuring, maintaining, and troubleshooting any custom log delivery pipeline.
With any manual option, you would need to configure and manage the transport yourself, handle retries, and track which files have already been uploaded. This is why ZeekShip is strongly recommended.