[Zeek] MAC Address In Logs
Chris Walsh
chris at cwalsh.org
Tue Feb 19 17:02:45 PST 2019
In my 2.5.3 installation, the comment above the line in question says that the MAC addrs will be logged to the conn.log file. This is what happens for me. From there, they can be linked to other logs via the uid field.
Are you sure that your conn.log does not have the orig_l2_addr and resp_l2_addr fields?
Chris
> On Feb 19, 2019, at 5:38 PM, TQ <nothinrandom at gmail.com> wrote:
>
> Thanks for reply Michael. So I went into /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load policy/protocols/conn/mac-logging. I reran bro and checked all log files, but none contain the MAC address. This is running on Zeek 2.6.1. I'm not sure what to expect (i.e. two columns for source/destination MAC?). Maybe I'm missing another step?
>
> Thanks,
More information about the Zeek
mailing list