[Zeek] Signatures::LOG - rotation

Justin Azoff justin at corelight.com
Fri Jan 17 06:27:08 PST 2020 

That still works for me.  The error you are getting is from add_filter
failing to find a log stream with that ID, but Log::create_stream is what
creates that.  I can make it fail like that if I mess with the priorities,
like

event zeek_init() &priority=100
     {
     local f = Log::get_filter(DHCP::LOG, "default");
     f$interv = 1 min;
     Log::add_filter(DHCP::LOG, f);
     }

which makes that run before the

event zeek_init() &priority=5
    {
    Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp,
$path="dhcp"]);
    Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
    }

in the dhcp script.

but with the default priorities I can't see why that would fail.



On Fri, Jan 17, 2020 at 9:00 AM os <adamp at os.pl> wrote:

> hello,
>
>
> I did some tests and  something is wrong.
> please see the sample configuration
>
> ==> notice.zeek <==
>
> event zeek_init()
>      {
>      local f = Log::get_filter(Notice::LOG, "default");
>      f$interv = 1 min;
>      Log::add_filter(Notice::LOG, f);
>      }
>
> ==> dhcp.zeek <==
>
> event zeek_init()
>      {
>      local f = Log::get_filter(DHCP::LOG, "default");
>      f$interv = 1 min;
>      Log::add_filter(DHCP::LOG, f);
>      }
>
> ==> foo.sig <==
> signature foo {
>    ip-proto == tcp
>    tcp-state established,originator
>    event "hello"
>    payload /.*hello/
> }
>
> ==> foo.zeek <==
> @load-sigs ./foo.sig
> event zeek_init()
>       {
>       local f = Log::get_filter(Signatures::LOG, "default");
>       f$interv = 30 secs;
>       Log::add_filter(Signatures::LOG, f);
>       }
>
> ==> start.zeek <==
>
> @load ./notice.zeek
> @load ./dhcp.zeek
> @load ./foo.zeek
>
> /usr/local/zeek/bin/zeek -r
> /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap  ./start.zeek
>
>
> expression error in
> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
> 579: no such index (Log::all_streams[Log::id])
> fatal error: errors occurred while initializing
>
> when I make changes
>
> #@load ./notice.zeek
> @load ./dhcp.zeek
> @load ./foo.zeek
>
> or
>
> @load ./notice.zeek
> #@load ./dhcp.zeek
> @load ./foo.zeek
>
> or
>
> @load ./notice.zeek
> @load ./dhcp.zeek
> #@load ./foo.zeek
>
>
> no error occurs after running
>
> Adam
>
>
> W dniu 15.01.2020 o 23:30, os pisze:
> > Thank you for your response.
> > I did the test with your configuration and it works fine.
> > So I need to check my configuration carefully.
> >
> > Thank you for your time
> >
> >
> >
> > W dniu 15.01.2020 o 20:18, Justin Azoff pisze:
> >> How exactly are you reproducing that?
> >>
> >> I tried this:
> >>
> >> ==> foo.sig <==
> >> signature foo {
> >>    ip-proto == tcp
> >>    tcp-state established,originator
> >>    event "hello"
> >>    payload /.*hello/
> >> }
> >>
> >> ==> foo.zeek <==
> >> @load-sigs ./foo.sig
> >> event zeek_init()
> >>       {
> >>       local f = Log::get_filter(Signatures::LOG, "default");
> >>       f$interv = 30 secs;
> >>       Log::add_filter(Signatures::LOG, f);
> >>       }
> >>
> >> and just running zeek foo.zeek and after making 2 connections a minute
> >> apart ended up with 2 rotated log files.
> >>
> >>
> >> On Wed, Jan 15, 2020 at 1:18 PM os <adamp at os.pl <mailto:adamp at os.pl>>
> >> wrote:
> >>
> >>      hello members,
> >>
> >>      Please, can you help me
> >>
> >>      I have problem with log rotation for signature LOG (only)
> >>
> >>      when I use scripts ,
> >>
> >>      event zeek_init()
> >>           {
> >>           local f = Log::get_filter(Signatures::LOG,
> &quot;default&quot;);
> >>           f$interv = 1 min;
> >>           Log::add_filter(Signatures::LOG, f);
> >>           }
> >>
> >>      after run I have error.
> >>
> >>      expression error in
> >>      /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
> line
> >>      579: no such index (Log::all_streams[Log::id])
> >>      fatal error: errors occurred while initializing
> >>
> >>      The problem occurs in versions 3.0.1; 3.1.0-dev.376
> >>
> >>      Thank you , hello Zeek Team,
> >>      Please, can you help me
> >>
> >>      I have problem with log rotation for signature LOG (only)
> >>      when I use scripts ,
> >>      event zeek_init()
> >>           {
> >>           local f = Log::get_filter(Signatures::LOG, "default");
> >>           f$interv = 1 min;
> >>           Log::add_filter(Signatures::LOG, f);
> >>           }
> >>        after run zeek  a see error.
> >>      expression error in
> >>      /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
> line
> >>      579: no such index (Log::all_streams[Log::id])
> >>      fatal error: errors occurred while initializing
> >>
> >>      The problem occurs in versions 3.0.1; 3.1.0-dev.376
> >>
> >>      Thank you, for any help.
> >>
> >>      Adam
> >>      Adam
> >>
> >>
> >>
> >>
> >>      - - - - - - - - - - - - - - - - - - - -
> >>
> >>      H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m  S S
> >>      L   z a   p o l o w e - k l a t k a . p l
> >>      _______________________________________________
> >>      Zeek mailing list
> >>      zeek at zeek.org <mailto:zeek at zeek.org>
> >>      http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >>
> >>
> >>
> >> --
> >> Justin
> >
> >
> >
> >
> > - - - - - - - - - - - - - - - - - - - -
> >
> > H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m   S S L
>  z a   p o l o w e - k l a t k a . p l
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
>
>
> - - - - - - - - - - - - - - - - - - - -
>
> H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m   S S L   z
> a   p o l o w e - k l a t k a . p l
>


-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200117/a3ed0fdd/attachment-0001.html

More information about the Zeek mailing list