[Zeek] Signatures::LOG - rotation
os
adamp at os.pl
Fri Jan 17 07:47:28 PST 2020
very strange, becouse I didn't change priorities anywhere
W dniu 17.01.2020 o 15:27, Justin Azoff pisze:
> That still works for me. The error you are getting is from add_filter
> failing to find a log stream with that ID, but Log::create_stream is
> what creates that. I can make it fail like that if I mess with the
> priorities, like
>
> event zeek_init() &priority=100
> {
> local f = Log::get_filter(DHCP::LOG, "default");
> f$interv = 1 min;
> Log::add_filter(DHCP::LOG, f);
> }
>
> which makes that run before the
>
> event zeek_init() &priority=5
> {
> Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp,
> $path="dhcp"]);
> Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
> }
>
> in the dhcp script.
>
> but with the default priorities I can't see why that would fail.
>
>
>
> On Fri, Jan 17, 2020 at 9:00 AM os <adamp at os.pl <mailto:adamp at os.pl>>
> wrote:
>
> hello,
>
>
> I did some tests and something is wrong.
> please see the sample configuration
>
> ==> notice.zeek <==
>
> event zeek_init()
> {
> local f = Log::get_filter(Notice::LOG, "default");
> f$interv = 1 min;
> Log::add_filter(Notice::LOG, f);
> }
>
> ==> dhcp.zeek <==
>
> event zeek_init()
> {
> local f = Log::get_filter(DHCP::LOG, "default");
> f$interv = 1 min;
> Log::add_filter(DHCP::LOG, f);
> }
>
> ==> foo.sig <==
> signature foo {
> ip-proto == tcp
> tcp-state established,originator
> event "hello"
> payload /.*hello/
> }
>
> ==> foo.zeek <==
> @load-sigs ./foo.sig
> event zeek_init()
> {
> local f = Log::get_filter(Signatures::LOG, "default");
> f$interv = 30 secs;
> Log::add_filter(Signatures::LOG, f);
> }
>
> ==> start.zeek <==
>
> @load ./notice.zeek
> @load ./dhcp.zeek
> @load ./foo.zeek
>
> /usr/local/zeek/bin/zeek -r
> /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap ./start.zeek
>
>
> expression error in
> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
> 579: no such index (Log::all_streams[Log::id])
> fatal error: errors occurred while initializing
>
> when I make changes
>
> #@load ./notice.zeek
> @load ./dhcp.zeek
> @load ./foo.zeek
>
> or
>
> @load ./notice.zeek
> #@load ./dhcp.zeek
> @load ./foo.zeek
>
> or
>
> @load ./notice.zeek
> @load ./dhcp.zeek
> #@load ./foo.zeek
>
>
> no error occurs after running
>
> Adam
>
>
> W dniu 15.01.2020 o 23:30, os pisze:
> > Thank you for your response.
> > I did the test with your configuration and it works fine.
> > So I need to check my configuration carefully.
> >
> > Thank you for your time
> >
> >
> >
> > W dniu 15.01.2020 o 20:18, Justin Azoff pisze:
> >> How exactly are you reproducing that?
> >>
> >> I tried this:
> >>
> >> ==> foo.sig <==
> >> signature foo {
> >> ip-proto == tcp
> >> tcp-state established,originator
> >> event "hello"
> >> payload /.*hello/
> >> }
> >>
> >> ==> foo.zeek <==
> >> @load-sigs ./foo.sig
> >> event zeek_init()
> >> {
> >> local f = Log::get_filter(Signatures::LOG, "default");
> >> f$interv = 30 secs;
> >> Log::add_filter(Signatures::LOG, f);
> >> }
> >>
> >> and just running zeek foo.zeek and after making 2 connections a
> minute
> >> apart ended up with 2 rotated log files.
> >>
> >>
> >> On Wed, Jan 15, 2020 at 1:18 PM os <adamp at os.pl
> <mailto:adamp at os.pl> <mailto:adamp at os.pl <mailto:adamp at os.pl>>>
> >> wrote:
> >>
> >> hello members,
> >>
> >> Please, can you help me
> >>
> >> I have problem with log rotation for signature LOG (only)
> >>
> >> when I use scripts ,
> >>
> >> event zeek_init()
> >> {
> >> local f = Log::get_filter(Signatures::LOG,
> "default");
> >> f$interv = 1 min;
> >> Log::add_filter(Signatures::LOG, f);
> >> }
> >>
> >> after run I have error.
> >>
> >> expression error in
> >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
> line
> >> 579: no such index (Log::all_streams[Log::id])
> >> fatal error: errors occurred while initializing
> >>
> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376
> >>
> >> Thank you , hello Zeek Team,
> >> Please, can you help me
> >>
> >> I have problem with log rotation for signature LOG (only)
> >> when I use scripts ,
> >> event zeek_init()
> >> {
> >> local f = Log::get_filter(Signatures::LOG, "default");
> >> f$interv = 1 min;
> >> Log::add_filter(Signatures::LOG, f);
> >> }
> >> after run zeek a see error.
> >> expression error in
> >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
> line
> >> 579: no such index (Log::all_streams[Log::id])
> >> fatal error: errors occurred while initializing
> >>
> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376
> >>
> >> Thank you, for any help.
> >>
> >> Adam
> >> Adam
> >>
> >>
> >>
> >>
> >> - - - - - - - - - - - - - - - - - - - -
> >>
> >> H o s t i n g z d a r m o w y m c e r t y f i k a t
> e m S S
> >> L z a p o l o w e - k l a t k a . p l
> >> _______________________________________________
> >> Zeek mailing list
> >> zeek at zeek.org <mailto:zeek at zeek.org> <mailto:zeek at zeek.org
> <mailto:zeek at zeek.org>>
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >>
> >>
> >>
> >> --
> >> Justin
> >
> >
> >
> >
> > - - - - - - - - - - - - - - - - - - - -
> >
> > H o s t i n g z d a r m o w y m c e r t y f i k a t e m
> S S L z a p o l o w e - k l a t k a . p l
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org <mailto:zeek at zeek.org>
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
>
>
> - - - - - - - - - - - - - - - - - - - -
>
> H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S
> L z a p o l o w e - k l a t k a . p l
>
>
>
> --
> Justin
- - - - - - - - - - - - - - - - - - - -
H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l
More information about the Zeek
mailing list