[Zeek] Signatures::LOG - rotation

Justin Azoff justin at corelight.com
Wed Jan 15 11:18:32 PST 2020


How exactly are you reproducing that?

I tried this:

==> foo.sig <==
signature foo {
  ip-proto == tcp
  tcp-state established,originator
  event "hello"
  payload /.*hello/
}

==> foo.zeek <==
@load-sigs ./foo.sig
event zeek_init()
     {
     local f = Log::get_filter(Signatures::LOG, "default");
     f$interv = 30 secs;
     Log::add_filter(Signatures::LOG, f);
     }

and just running zeek foo.zeek and after making 2 connections a minute
apart ended up with 2 rotated log files.


On Wed, Jan 15, 2020 at 1:18 PM os <adamp at os.pl> wrote:

> hello members,
>
> Please, can you help me
>
> I have problem with log rotation for signature LOG (only)
>
> when I use scripts ,
>
> event zeek_init()
>      {
>      local f = Log::get_filter(Signatures::LOG, &quot;default&quot;);
>      f$interv = 1 min;
>      Log::add_filter(Signatures::LOG, f);
>      }
>
> after run I have error.
>
> expression error in
> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
> 579: no such index (Log::all_streams[Log::id])
> fatal error: errors occurred while initializing
>
> The problem occurs in versions 3.0.1; 3.1.0-dev.376
>
> Thank you , hello Zeek Team,
> Please, can you help me
>
> I have problem with log rotation for signature LOG (only)
> when I use scripts ,
> event zeek_init()
>      {
>      local f = Log::get_filter(Signatures::LOG, "default");
>      f$interv = 1 min;
>      Log::add_filter(Signatures::LOG, f);
>      }
>   after run zeek  a see error.
> expression error in
> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
> 579: no such index (Log::all_streams[Log::id])
> fatal error: errors occurred while initializing
>
> The problem occurs in versions 3.0.1; 3.1.0-dev.376
>
> Thank you, for any help.
>
> Adam
> Adam
>
>
>
>
> - - - - - - - - - - - - - - - - - - - -
>
> H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m   S S L   z
> a   p o l o w e - k l a t k a . p l
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200115/aef74bec/attachment-0001.html 


More information about the Zeek mailing list