[Zeek] Zeek install monitoring multiple interfaces, need interface in logs

Darrell Miller dmiller at stc-ntc-lsu.org
Tue Jan 22 06:52:55 PST 2019


Hi,
I've been running bro for a few years, a simple straightforward install. I recently have a need for my bro instance to monitor two interfaces (internal network and external network)
I've gotten this working, it was straight forward. My issue is in most of the logs there is no tag or field indicating which interface the log entry is referring to. Some logs like weird.log do have a field called "peer"
That indicates what seems to be the interface. DNS.log, and CONN.log do not. Is there an easy way to add this field, or add a field saying which node of the cluster the log entry originated from? I hope that makes sense

Thank you,
Darrell Miller
The information transmitted in this e-mail message and any attachments is strictly confidential and is exclusively addressed to the recipient indicated above. If you are not the intended recipient, please be aware that any use, copying or disclosure of information contained in this e-mail message is strictly prohibited. If you have received this e-mail message in error, please notify us immediately by reply and then delete it from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/7513d200/attachment.html 


More information about the Zeek mailing list