[Zeek] printing stream columns

Henri Dubois-Ferriere henridf at gmail.com
Fri Nov 1 04:11:28 PDT 2019 

I've been playing around with Jon's script and am getting close to what I
want, but still have one outstanding issue related to nested records.
Currently they show up as a single feed with a type "record foo" (such
as "record conn_id" or "record FTP::ExpectedDataChannel").

I'd like to be able to peek into nested records to get the inner fields
that will show up in the logs. It doesn't seem like there's a way to do
record introspection given a string representation of the record type name,
but if I'd be delighted to be told I'm missing something.

Thanks for any pointers!

On Wed, 16 Oct 2019 at 22:47, Henri Dubois-Ferriere <henridf at gmail.com>
wrote:

> Thanks Jon and Anthony for the quick responses! print-log-info.bro looks
> promising for what I'm trying to do.
>
> On Wed, 16 Oct 2019 at 22:37, Jon Siwek <jsiwek at corelight.com> wrote:
>
>> On Wed, Oct 16, 2019 at 12:48 PM Henri Dubois-Ferriere
>> <henridf at gmail.com> wrote:
>> >
>> > I'm trying to print the record type for each log stream at startup.
>> Something like:
>> >
>> >  for ( id in Log::active_streams ) {
>> >                  local stream = Log::active_streams[id];
>> >                  print stream$path, stream$columns;
>> > }
>> >
>> > doesn't work because $columns is a record type, and gets stringified
>> "<no value description>".
>>
>> Zeek 3.0 should give better descriptions for types.  This was the
>> relevant patch which is not in any 2.6.x version:
>>
>>
>> https://github.com/bro/bro/commit/1f450c05102be6dd7ebcc2c5901d5a3a231cd675
>>
>> This script may also help demonstrate things related to what you're
>> trying to do:
>>
>>   https://gist.github.com/jsiwek/f843b3321f4227b6ec32d110424ebf70
>>
>> It prints field descriptions of all logs either to stdout or a CSV
>> file.  Example command:
>>
>>   ZEEK_ALLOW_INIT_ERRORS=1 zeek print-log-info.bro PrintLogs::csv=F
>>
>> Sample of output:
>>
>> known_hosts.log | Hosts with complete TCP handshakes
>>   ts: time - The timestamp at which the host was detected.
>>   host: addr - The address that was detected originating or responding
>> to a TCP connection.
>>
>> - Jon
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191101/56dd4b7f/attachment.html

More information about the Zeek mailing list