[Zeek] printing stream columns
Henri Dubois-Ferriere
henridf at gmail.com
Wed Oct 16 13:47:05 PDT 2019
Thanks Jon and Anthony for the quick responses! print-log-info.bro looks
promising for what I'm trying to do.
On Wed, 16 Oct 2019 at 22:37, Jon Siwek <jsiwek at corelight.com> wrote:
> On Wed, Oct 16, 2019 at 12:48 PM Henri Dubois-Ferriere
> <henridf at gmail.com> wrote:
> >
> > I'm trying to print the record type for each log stream at startup.
> Something like:
> >
> > for ( id in Log::active_streams ) {
> > local stream = Log::active_streams[id];
> > print stream$path, stream$columns;
> > }
> >
> > doesn't work because $columns is a record type, and gets stringified
> "<no value description>".
>
> Zeek 3.0 should give better descriptions for types. This was the
> relevant patch which is not in any 2.6.x version:
>
>
> https://github.com/bro/bro/commit/1f450c05102be6dd7ebcc2c5901d5a3a231cd675
>
> This script may also help demonstrate things related to what you're
> trying to do:
>
> https://gist.github.com/jsiwek/f843b3321f4227b6ec32d110424ebf70
>
> It prints field descriptions of all logs either to stdout or a CSV
> file. Example command:
>
> ZEEK_ALLOW_INIT_ERRORS=1 zeek print-log-info.bro PrintLogs::csv=F
>
> Sample of output:
>
> known_hosts.log | Hosts with complete TCP handshakes
> ts: time - The timestamp at which the host was detected.
> host: addr - The address that was detected originating or responding
> to a TCP connection.
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191016/2f0a86c7/attachment.html
More information about the Zeek
mailing list