[Zeek] Changing logging defaults

Adam Pumphrey apumphrey at bricata.com
Tue Jul 2 12:26:19 PDT 2019 

Hey Ambros

You can use Filters in local.zeek (local.bro in your case) to customize many of Zeek's default logging options.  A "default" filter is applied to each log stream, you have the option to customize the default filter or remove it and add a new one (or add multiple filters).  That's all done inside of a zeek_init() event handler.  To learn more I suggest reading this https://docs.zeek.org/en/stable/frameworks/logging.html#filters and checking out this blog post https://blog.zeek.org/2012/02/filtering-logs-with-bro.html (its old but still relevant).   

To manipulate field values, or add new ones, you'll need to use the appropriate event handlers.  This is one of those "it depends" situations.  In many cases you can use a protocol's log_* event (log_dns for example) to do what you need but, depending on the situation, there may be others that are a better fit.  I caution against modifying the values of built-in fields unless you have a compelling reason to do so though.  

Take the "rejected" field in the DNS stream for example, it tells you whether the DNS server refused to respond to a client request for policy reasons.  It only gets set to T if the server actually rejected the query; in other words "not rejected" is assumed unless the server says otherwise.  That said, why would you need to change the value?    Maybe you're actually trying to filter which DNS events get logged?  If so, you can accomplish that using the Filters I mentioned above with a predicate (pred) function.  Take a look at this for more info https://docs.zeek.org/en/stable/frameworks/logging.html#filter-log-records. 

Hope that helps.  

Adam

On 7/2/19, 9:53 AM, "zeek-bounces at zeek.org on behalf of Ambros Novak" <zeek-bounces at zeek.org on behalf of ambros.novak.89 at gmail.com> wrote:

    Good Day,
    
    I’m running an older version of Bro and would like to change some default logging options using the local.bro. 
    
    For example, in trying to change DNS’s rejected to T because it’s defaulted to F. 
    
    I’m able to change it in the module file, but I would rather do it in local.bro. 
    
    Thanks you for the assistance. 
    
    Ambros
    
    
    
    ——
    _______________________________________________
    Zeek mailing list
    zeek at zeek.org
    http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

More information about the Zeek mailing list