[Zeek] Signatures::LOG - rotation
Justin Azoff
justin at corelight.com
Wed Jan 15 11:18:32 PST 2020
How exactly are you reproducing that?
I tried this:
==> foo.sig <==
signature foo {
ip-proto == tcp
tcp-state established,originator
event "hello"
payload /.*hello/
}
==> foo.zeek <==
@load-sigs ./foo.sig
event zeek_init()
{
local f = Log::get_filter(Signatures::LOG, "default");
f$interv = 30 secs;
Log::add_filter(Signatures::LOG, f);
}
and just running zeek foo.zeek and after making 2 connections a minute
apart ended up with 2 rotated log files.
On Wed, Jan 15, 2020 at 1:18 PM os <adamp at os.pl> wrote:
> hello members,
>
> Please, can you help me
>
> I have problem with log rotation for signature LOG (only)
>
> when I use scripts ,
>
> event zeek_init()
> {
> local f = Log::get_filter(Signatures::LOG, "default");
> f$interv = 1 min;
> Log::add_filter(Signatures::LOG, f);
> }
>
> after run I have error.
>
> expression error in
> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
> 579: no such index (Log::all_streams[Log::id])
> fatal error: errors occurred while initializing
>
> The problem occurs in versions 3.0.1; 3.1.0-dev.376
>
> Thank you , hello Zeek Team,
> Please, can you help me
>
> I have problem with log rotation for signature LOG (only)
> when I use scripts ,
> event zeek_init()
> {
> local f = Log::get_filter(Signatures::LOG, "default");
> f$interv = 1 min;
> Log::add_filter(Signatures::LOG, f);
> }
> after run zeek a see error.
> expression error in
> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
> 579: no such index (Log::all_streams[Log::id])
> fatal error: errors occurred while initializing
>
> The problem occurs in versions 3.0.1; 3.1.0-dev.376
>
> Thank you, for any help.
>
> Adam
> Adam
>
>
>
>
> - - - - - - - - - - - - - - - - - - - -
>
> H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z
> a p o l o w e - k l a t k a . p l
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200115/aef74bec/attachment-0001.html
More information about the Zeek
mailing list