[Zeek] Signatures::LOG - rotation

os adamp at os.pl
Wed Jan 15 14:30:46 PST 2020


Thank you for your response.
I did the test with your configuration and it works fine.
So I need to check my configuration carefully.

Thank you for your time



W dniu 15.01.2020 o 20:18, Justin Azoff pisze:
> How exactly are you reproducing that?
>
> I tried this:
>
> ==> foo.sig <==
> signature foo {
>   ip-proto == tcp
>   tcp-state established,originator
>   event "hello"
>   payload /.*hello/
> }
>
> ==> foo.zeek <==
> @load-sigs ./foo.sig
> event zeek_init()
>      {
>      local f = Log::get_filter(Signatures::LOG, "default");
>      f$interv = 30 secs;
>      Log::add_filter(Signatures::LOG, f);
>      }
>
> and just running zeek foo.zeek and after making 2 connections a minute 
> apart ended up with 2 rotated log files.
>
>
> On Wed, Jan 15, 2020 at 1:18 PM os <adamp at os.pl <mailto:adamp at os.pl>> 
> wrote:
>
>     hello members,
>
>     Please, can you help me
>
>     I have problem with log rotation for signature LOG (only)
>
>     when I use scripts ,
>
>     event zeek_init()
>          {
>          local f = Log::get_filter(Signatures::LOG, &quot;default&quot;);
>          f$interv = 1 min;
>          Log::add_filter(Signatures::LOG, f);
>          }
>
>     after run I have error.
>
>     expression error in
>     /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
>     579: no such index (Log::all_streams[Log::id])
>     fatal error: errors occurred while initializing
>
>     The problem occurs in versions 3.0.1; 3.1.0-dev.376
>
>     Thank you , hello Zeek Team,
>     Please, can you help me
>
>     I have problem with log rotation for signature LOG (only)
>     when I use scripts ,
>     event zeek_init()
>          {
>          local f = Log::get_filter(Signatures::LOG, "default");
>          f$interv = 1 min;
>          Log::add_filter(Signatures::LOG, f);
>          }
>       after run zeek  a see error.
>     expression error in
>     /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
>     579: no such index (Log::all_streams[Log::id])
>     fatal error: errors occurred while initializing
>
>     The problem occurs in versions 3.0.1; 3.1.0-dev.376
>
>     Thank you, for any help.
>
>     Adam
>     Adam
>
>
>
>
>     - - - - - - - - - - - - - - - - - - - -
>
>     H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m  S S
>     L   z a   p o l o w e - k l a t k a . p l
>     _______________________________________________
>     Zeek mailing list
>     zeek at zeek.org <mailto:zeek at zeek.org>
>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> -- 
> Justin





- - - - - - - - - - - - - - - - - - - - 

H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m   S S L   z a   p o l o w e - k l a t k a . p l


More information about the Zeek mailing list