[Zeek] Zeek install monitoring multiple interfaces, need interface in logs

Eric Ooi ericooi at gmail.com
Tue Jan 22 07:56:05 PST 2019


Hi Darrell,

This might help --
https://blog.zeek.org/2012/02/filtering-logs-with-bro.html

Thanks,
Eric

On Tue, Jan 22, 2019 at 9:03 AM Darrell Miller <dmiller at stc-ntc-lsu.org>
wrote:

> Hi,
>
> I’ve been running bro for a few years, a simple straightforward install. I
> recently have a need for my bro instance to monitor two interfaces
> (internal network and external network)
>
> I’ve gotten this working, it was straight forward. My issue is in most of
> the logs there is no tag or field indicating which interface the log entry
> is referring to. Some logs like weird.log do have a field called “peer”
>
> That indicates what seems to be the interface. DNS.log, and CONN.log do
> not. Is there an easy way to add this field, or add a field saying which
> node of the cluster the log entry originated from? I hope that makes sense
>
>
>
> Thank you,
>
> Darrell Miller
> The information transmitted in this e-mail message and any attachments is
> strictly confidential and is exclusively addressed to the recipient
> indicated above. If you are not the intended recipient, please be aware
> that any use, copying or disclosure of information contained in this e-mail
> message is strictly prohibited. If you have received this e-mail message in
> error, please notify us immediately by reply and then delete it from your
> system.
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/34f25dbb/attachment.html 


More information about the Zeek mailing list