[Zeek] changing conn logging to SQLite

Abdella Battou abattou at gmail.com
Sat Apr 11 08:19:45 PDT 2020


I am new to Zeek and I would like to redist the conn logging to SQLite. The
documentation says that this is natively supported.

I found this filter "sqlite-conn-filte.zeek" in one of the post

event zeek_init()
    {
    local filter: Log::Filter =
        [
        $name="sqlite",
        $path="/var/db/conn",
        $config=table(["tablename"] = "conn"),
        $writer=Log::WRITER_SQLITE
        ];

     Log::add_filter(Conn::LOG, filter);
    }

my question is where to put  (which directory) ? and do I need to invoke it
somewhere  ?

cheers,
Abdella
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200411/ba980b94/attachment.html 


More information about the Zeek mailing list