[Zeek] Bro scripts to write logs to Kafka fails

Zeolla@GMail.com zeolla at gmail.com
Tue Mar 19 13:30:48 PDT 2019 

Did you install it manually or with bro-pkg?  Also, is this master or a
specific release?

- Jon Zeolla
Zeolla at GMail.Com


On Tue, Mar 19, 2019 at 12:25 PM Patrick Kelley <
patrick.kelley at criticalpathsecurity.com> wrote:

> Had some issues with this last week when building our ARM/ICS/IOT sensor.
>
> Let me see if I can run down some notes.
>
> On Tue, Mar 19, 2019 at 11:57 AM Arda Savran <asavran at layerxtech.com>
> wrote:
>
>> Hello folks:
>>
>> I just installed zeek from source on a CentOS7.5 platform. Everything
>> works fine. I can confirm that the logs are getting populated with http,
>> dns etc. data.
>>
>> I am trying to write the data to a remote Kafka topic. I believe I
>> compiled everything correctly based on the following link: *https://packages.zeek.org/packages/view/7388aa77-4fb7-11e8-88be-0a645a3f3086
>> <https://packages.zeek.org/packages/view/7388aa77-4fb7-11e8-88be-0a645a3f3086>*
>>
>> And I am getting the expected return when I execute:
>>
>> * $ bro -N Apache::Kafka*
>> * Apache::Kafka - Writes logs to Kafka (dynamic, version 0.3)*
>>
>> Next, I edited /usr/local/bro/share/bro/site/local.bro and appended the
>> following:
>>
>> *@load packages/metron-bro-plugin-kafka/Apache/Kafka redef
>> Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG); redef Kafka::kafka_conf =
>> table( ["metadata.broker.list"] = "XX.XX.XX.XX:9092" );*
>>
>> Unfortunately, this part doesn't work:
>>
>> *[root at localhost scripts]# broctl check*
>> *Warning: broctl config has changed (run the broctl "deploy" command)*
>> *bro scripts failed.*
>> *fatal error in /usr/local/bro/share/bro/site/local.bro, line 7: can't
>> find packages/metron-bro-plugin-kafka/Apache/Kafka*
>>
>> Has this happened to anyone before? Is there a fix for this?
>>
>> Thanks,
>>
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
>
> *Patrick Kelley, CISSP, C|EH, ITIL*
> *CTO*
> patrick.kelley at criticalpathsecurity.com
> (o) 770-224-6482
>
> *The limit to which you have accepted being comfortable is the limit to
> which you have grown. Accept new challenges as an opportunity to enrich
> yourself and not as a point of potential failure.*
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190319/24d363e3/attachment.html

More information about the Zeek mailing list