[Zeek] "zq" command-line processor for Zeek logs

Phil Rzewski phil at brimsecurity.com
Tue Feb 11 15:42:24 PST 2020 

Zeek community,

We’re writing to let you know about zq <https://github.com/brimsec/zq>, an open source command-line processor for structured logs, built for Zeek. (In fact, we’ve been told zq is “like zeek-cut on steroids”.)

Those of you who were on the “Ask the Zeeksperts” call on January 16th saw Seth Hall and Justin Azoff give an early peek of zq (thanks guys!), so this is just an “official” announcement. Come one, come all!

You can get involved by:
	• Checking out the zq GitHub repo <https://github.com/brimsec/zq> for install info, code, and docs
	• Joining our public Slack <https://join.slack.com/t/brimsec/shared_invite/enQtOTMwMDczODg2ODgyLTk1NTdjOTQxNmI0OGYwOThiYzNlNDc5OWI5NjczZDljNDdmZGZjNGI3NTNiOWRiNzJkMzg4OTEwZWM0Y2NiYWQ> workspace for announcements, Q&A, and to trade query ideas
	• Contacting us directly via email <mailto:info at brimsecurity.com> to schedule a Zoom videoconference

All you need is some Zeek logs (and there’s sample logs <https://github.com/brimsec/zq-sample-data> to help you get started). Here’s just a taste of what’s possible:

- A table of top hosts in a subnet that are experiencing the most SYNs-without-ACK:
   zq -f table "10.164.94.0/24 conn_state=S0 | count() by id.orig_h | sort -r" *

- A regex search for certain HTTP methods, with full events output as NDJSON:
    zq -f ndjson "method=/^(PUT|PATCH|UPDATE)$/" *

- Connections open a long time with low traffic, printed as a Zeek TSV log:
   zq -f zeek "duration>1000 orig_bytes<10 resp_bytes<10" *

Of course, that’s just scratching the surface. Please try it out and let us know what you think on GitHub <https://github.com/brimsec/zq> or Slack <https://join.slack.com/t/brimsec/shared_invite/enQtOTMwMDczODg2ODgyLTk1NTdjOTQxNmI0OGYwOThiYzNlNDc5OWI5NjczZDljNDdmZGZjNGI3NTNiOWRiNzJkMzg4OTEwZWM0Y2NiYWQ>.

Happy hunting, Zeeking, & zq’ing!

--
The Brim team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200211/55272603/attachment.html

More information about the Zeek mailing list