[Zeek] Creating a module and accessing an event in another script
Justin Azoff
justin at corelight.com
Thu Jun 6 11:54:07 PDT 2019
probably this
https://www.zeek.org/documentation/faq.html#why-isn-t-zeek-producing-the-logs-i-expect-a-note-about-checksums
?
On Thu, Jun 6, 2019 at 2:45 PM Merril Mathew <merril.mathew at baby2body.com>
wrote:
> Hi Justin,
>
> Now it sends the email. But it executes the "if(!rec?$auth_success)"
> condition and I am getting message "unknown". Which means auth_success is
> not found on live traffic, so the error remains I think.
>
> Kind regards,
> Merril.
>
> On Wed, 5 Jun 2019, 18:39 Justin Azoff, <justin at corelight.com> wrote:
>
>> that script should generally work, but it was a lot more complicated than
>> it needed to be to accomplish what you are trying to do. Here is a much
>> simplified version.
>>
>> The only thing to keep in mind is that since you are using zeek_init to
>> setup the log stream this won't work on bro or a small number of zeek
>> builds from right after the rename. There are no released versions of zeek
>> so I don't know when you built it. Using bro_init is backwards compatible
>> and is probably better for now.
>>
>> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <
>> merril.mathew at baby2body.com> wrote:
>>
>>> Hi Justin,
>>>
>>> I can confirm that attached scripts does not send me email on live
>>> traffic or create a log under $PREFIX/logs/current. But it does create
>>> notice.log and a SSHAttempt.log when running pcap. I can also confirm that
>>> send mail set up is working as I have received emails from zeek from other
>>> scripts.
>>>
>>> Kind regards,
>>> Merril.
>>>
>>>
>>>
>>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com> wrote:
>>>
>>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <
>>> merril.mathew at baby2body.com> wrote:
>>>
>>>> Hi Justin,
>>>>
>>>> Thanks. But it did not work for me.
>>>>
>>>
>>> Did not work how? Did you post the version of the script that didn't
>>> work?
>>>
>>> --
>>> Justin
>>>
>>>
>>>
>>
>> --
>> Justin
>>
>
--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/37bbc754/attachment-0001.html
More information about the Zeek
mailing list