[Zeek] changing conn logging to SQLite

Jon Siwek jsiwek at corelight.com
Tue Apr 14 17:32:31 PDT 2020


On Sat, Apr 11, 2020 at 8:29 AM Abdella Battou <abattou at gmail.com> wrote:
>
> I am new to Zeek and I would like to redist the conn logging to SQLite. The documentation says that this is natively supported.
>
> I found this filter "sqlite-conn-filte.zeek" in one of the post
>
> event zeek_init()
>     {
>     local filter: Log::Filter =
>         [
>         $name="sqlite",
>         $path="/var/db/conn",
>         $config=table(["tablename"] = "conn"),
>         $writer=Log::WRITER_SQLITE
>         ];
>
>      Log::add_filter(Conn::LOG, filter);
>     }
>
> my question is where to put  (which directory) ? and do I need to invoke it somewhere  ?

Where you put that depends on how you run/deploy Zeek, but the usual
way involving ZeekControl means you could just add it to the end of
your local.zeek file which gets installed by default (if built from
source) at /usr/local/zeek/share/zeek/site/local.zeek

- Jon


More information about the Zeek mailing list