[Zeek] printing stream columns
Jon Siwek
jsiwek at corelight.com
Wed Oct 16 13:37:34 PDT 2019
On Wed, Oct 16, 2019 at 12:48 PM Henri Dubois-Ferriere
<henridf at gmail.com> wrote:
>
> I'm trying to print the record type for each log stream at startup. Something like:
>
> for ( id in Log::active_streams ) {
> local stream = Log::active_streams[id];
> print stream$path, stream$columns;
> }
>
> doesn't work because $columns is a record type, and gets stringified "<no value description>".
Zeek 3.0 should give better descriptions for types. This was the
relevant patch which is not in any 2.6.x version:
https://github.com/bro/bro/commit/1f450c05102be6dd7ebcc2c5901d5a3a231cd675
This script may also help demonstrate things related to what you're
trying to do:
https://gist.github.com/jsiwek/f843b3321f4227b6ec32d110424ebf70
It prints field descriptions of all logs either to stdout or a CSV
file. Example command:
ZEEK_ALLOW_INIT_ERRORS=1 zeek print-log-info.bro PrintLogs::csv=F
Sample of output:
known_hosts.log | Hosts with complete TCP handshakes
ts: time - The timestamp at which the host was detected.
host: addr - The address that was detected originating or responding
to a TCP connection.
- Jon
More information about the Zeek
mailing list