[Zeek] changing conn logging to SQLite
Jon Siwek
jsiwek at corelight.com
Tue Apr 14 17:32:31 PDT 2020
On Sat, Apr 11, 2020 at 8:29 AM Abdella Battou <abattou at gmail.com> wrote:
>
> I am new to Zeek and I would like to redist the conn logging to SQLite. The documentation says that this is natively supported.
>
> I found this filter "sqlite-conn-filte.zeek" in one of the post
>
> event zeek_init()
> {
> local filter: Log::Filter =
> [
> $name="sqlite",
> $path="/var/db/conn",
> $config=table(["tablename"] = "conn"),
> $writer=Log::WRITER_SQLITE
> ];
>
> Log::add_filter(Conn::LOG, filter);
> }
>
> my question is where to put (which directory) ? and do I need to invoke it somewhere ?
Where you put that depends on how you run/deploy Zeek, but the usual
way involving ZeekControl means you could just add it to the end of
your local.zeek file which gets installed by default (if built from
source) at /usr/local/zeek/share/zeek/site/local.zeek
- Jon
More information about the Zeek
mailing list