[Zeek] Bro scripts to write logs to Kafka fails
Patrick Kelley
patrick.kelley at criticalpathsecurity.com
Tue Mar 19 09:17:39 PDT 2019
Had some issues with this last week when building our ARM/ICS/IOT sensor.
Let me see if I can run down some notes.
On Tue, Mar 19, 2019 at 11:57 AM Arda Savran <asavran at layerxtech.com> wrote:
> Hello folks:
>
> I just installed zeek from source on a CentOS7.5 platform. Everything
> works fine. I can confirm that the logs are getting populated with http,
> dns etc. data.
>
> I am trying to write the data to a remote Kafka topic. I believe I
> compiled everything correctly based on the following link: *https://packages.zeek.org/packages/view/7388aa77-4fb7-11e8-88be-0a645a3f3086
> <https://packages.zeek.org/packages/view/7388aa77-4fb7-11e8-88be-0a645a3f3086>*
>
> And I am getting the expected return when I execute:
>
> * $ bro -N Apache::Kafka*
> * Apache::Kafka - Writes logs to Kafka (dynamic, version 0.3)*
>
> Next, I edited /usr/local/bro/share/bro/site/local.bro and appended the
> following:
>
> *@load packages/metron-bro-plugin-kafka/Apache/Kafka redef
> Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG); redef Kafka::kafka_conf =
> table( ["metadata.broker.list"] = "XX.XX.XX.XX:9092" );*
>
> Unfortunately, this part doesn't work:
>
> *[root at localhost scripts]# broctl check*
> *Warning: broctl config has changed (run the broctl "deploy" command)*
> *bro scripts failed.*
> *fatal error in /usr/local/bro/share/bro/site/local.bro, line 7: can't
> find packages/metron-bro-plugin-kafka/Apache/Kafka*
>
> Has this happened to anyone before? Is there a fix for this?
>
> Thanks,
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482
*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190319/ba44c7c6/attachment.html
More information about the Zeek
mailing list