[Zeek] uid in files logs
Michał Purzyński
michalpurzynski1 at gmail.com
Wed Nov 6 15:45:36 PST 2019
While I have no idea why it's not default, I'll share a piece of code to
achieve something similar, so you can adopt it to your needs
Here we wanted to kill logging X509 certificates into both files.log and
x509.log - and by doing that we saved like 20% of our SIEM intake, globally
(!!). Should be easy enough to extend x509.log to include data from
conn.log, etc.
@load base/frameworks/files
@load base/files/hash
module X509;
export {
redef record X509::Info += {
fuid: string &log &optional;
md5: string &log &optional;
};
}
event file_state_remove(f: fa_file) &priority=40
{
if ( ! f$info?$x509 )
return;
f$info$x509$fuid = f$info$fuid;
f$info$x509$md5 = f$info$md5;
}
On Wed, Nov 6, 2019 at 2:17 AM Palumbo Mauro <mauro.palumbo at aizoon.it>
wrote:
> Hi everybody,
>
> it would be useful for us to have the conn uids in the logs from file
> analyzers (pe.log, x509.log,…). I know this information can be gathered by
> cross-cehcking different bro logs, but it will save some time to have it
> already in pe.log, etc. I believe this data is available in the record
> fa_file.conns, available in events in the file framework, so it seems not
> difficult to add.
>
> Is there any reason why it is not added by default?
>
>
>
> Thanks,
>
> Mauro
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191106/93a217a9/attachment.html
More information about the Zeek
mailing list