[Zeek] Zeek install monitoring multiple interfaces, need interface in logs

Darrell Miller dmiller at stc-ntc-lsu.org
Tue Jan 22 08:02:17 PST 2019


Thanks, I found this right after I hit “send” on my mail.
Here is what I came up with to save anyone else a little bit of time:
if there is a better way of doing it, please let me know. So far these are the logs I’ve been able to add the interface too. Communications.log did not work using the same pattern.

## ---====================================================================================================================
#add interface name to log filename:
event bro_init()
        {
        if ( reading_live_traffic() )
                {
                Log::remove_default_filter(HTTP::LOG);
                Log::add_filter(HTTP::LOG, [$name = "http-interfaces",
                                            $path_func(id: Log::ID, path: string, rec: HTTP::Info) =
                                                {
                                                local peer = get_event_peer()$descr;
                                                if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )
                                                        return cat("http_", Cluster::nodes[peer]$interface);
                                                else
                                                        return "http";
                                                }
                                            ]);

                Log::remove_default_filter(Conn::LOG);
                Log::add_filter(Conn::LOG, [$name = "conn-interfaces",
                                            $path_func(id: Log::ID, path: string, rec: Conn::Info) =
                                                {
                                                local peer = get_event_peer()$descr;
                                                if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )
                                                        return cat("conn_", Cluster::nodes[peer]$interface);
                                                else
                                                        return "conn";
                                                }
                                            ]);

                Log::remove_default_filter(Weird::LOG);
                Log::add_filter(Weird::LOG, [$name = "weird-interfaces",
                                            $path_func(id: Log::ID, path: string, rec: Weird::Info) =
                                                {
                                                local peer = get_event_peer()$descr;
                                                if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )
                                                        return cat("weird_", Cluster::nodes[peer]$interface);
                                                else
                                                        return "weird";
                                                }
                                            ]);

                Log::remove_default_filter(DNS::LOG);
                Log::add_filter(DNS::LOG, [$name = "DNS-interfaces",
                                            $path_func(id: Log::ID, path: string, rec: DNS::Info) =
                                                {
                                                local peer = get_event_peer()$descr;
                                                if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )
                                                        return cat("DNS_", Cluster::nodes[peer]$interface);
                                                else
                                                        return "dns";
                                                }
                                            ]);

        } #end if
} #end event
## ---====================================================================================================================

In your logs folder, each logfile will be split up by the interface:
DNS_eth01.log
DNS_eth02.log
weird_eth01.log
weird_eth02.log


From: Eric Ooi <ericooi at gmail.com>
Sent: Tuesday, January 22, 2019 9:56 AM
To: Darrell Miller <dmiller at stc-ntc-lsu.org>
Cc: zeek at zeek.org
Subject: Re: [Zeek] Zeek install monitoring multiple interfaces, need interface in logs

Hi Darrell,

This might help -- https://blog.zeek.org/2012/02/filtering-logs-with-bro.html

Thanks,
Eric

On Tue, Jan 22, 2019 at 9:03 AM Darrell Miller <dmiller at stc-ntc-lsu.org<mailto:dmiller at stc-ntc-lsu.org>> wrote:
Hi,
I’ve been running bro for a few years, a simple straightforward install. I recently have a need for my bro instance to monitor two interfaces (internal network and external network)
I’ve gotten this working, it was straight forward. My issue is in most of the logs there is no tag or field indicating which interface the log entry is referring to. Some logs like weird.log do have a field called “peer”
That indicates what seems to be the interface. DNS.log, and CONN.log do not. Is there an easy way to add this field, or add a field saying which node of the cluster the log entry originated from? I hope that makes sense

Thank you,
Darrell Miller
The information transmitted in this e-mail message and any attachments is strictly confidential and is exclusively addressed to the recipient indicated above. If you are not the intended recipient, please be aware that any use, copying or disclosure of information contained in this e-mail message is strictly prohibited. If you have received this e-mail message in error, please notify us immediately by reply and then delete it from your system.
_______________________________________________
Zeek mailing list
zeek at zeek.org<mailto:zeek at zeek.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
The information transmitted in this e-mail message and any attachments is strictly confidential and is exclusively addressed to the recipient indicated above. If you are not the intended recipient, please be aware that any use, copying or disclosure of information contained in this e-mail message is strictly prohibited. If you have received this e-mail message in error, please notify us immediately by reply and then delete it from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/6276cbf4/attachment-0001.html 


More information about the Zeek mailing list