[Zeek] printing stream columns

anthony kasza anthony.kasza at gmail.com
Wed Oct 16 13:27:16 PDT 2019


Hi Henri,

Great question.
The logging framework is extremely flexible and allows for log stream
columns to dynamically change during run time. This means at startup, the
bro_init() event, Zeek may not know all the columns of all the logs. Here's
a script I wrote for you which sort of answers your question. If you have
more questions about it, just reach back out to the list.

-AK


function pfunk(rec: any): bool {
  print type_name(rec);
  return T;
}

event bro_init() {
  for (id in Log::active_streams) {
    for (fname in Log::get_filter_names(id)) {
      local filter: Log::Filter;
      filter = Log::get_filter(id, fname);
      filter$pred = pfunk;
      Log::add_filter(id, filter);
    }
  }
}


On Wed, Oct 16, 2019, 13:48 Henri Dubois-Ferriere <henridf at gmail.com> wrote:

> I'm trying to print the record type for each log stream at startup.
> Something like:
>
>  for ( id in Log::active_streams ) {
>                  local stream = Log::active_streams[id];
>                  print stream$path, stream$columns;
> }
>
> doesn't work because $columns is a record type, and gets stringified "<no
> value description>".
>
> Is there a way to do this in zeek script?
>
> Thanks,
> Henri
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191016/65e0ca35/attachment.html 


More information about the Zeek mailing list