[Zeek] Signatures::LOG - rotation

os adamp at os.pl
Fri Jan 17 11:02:10 PST 2020 

hello,

I changed the priority in the file and it looks like it works

/usr/local/zeek/share/zeek/base/frameworks/signatures/main.zeek

event zeek_init() &priority=5

{

Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, 
$path="signatures"]);

}


Thank you for your  help and time





W dniu 17.01.2020 o 16:47, os pisze:
> very strange, becouse I didn't change priorities anywhere
>
>
> W dniu 17.01.2020 o 15:27, Justin Azoff pisze:
>> That still works for me.  The error you are getting is from add_filter
>> failing to find a log stream with that ID, but Log::create_stream is
>> what creates that.  I can make it fail like that if I mess with the
>> priorities, like
>>
>> event zeek_init() &priority=100
>>       {
>>       local f = Log::get_filter(DHCP::LOG, "default");
>>       f$interv = 1 min;
>>       Log::add_filter(DHCP::LOG, f);
>>       }
>>
>> which makes that run before the
>>
>> event zeek_init() &priority=5
>>      {
>>      Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp,
>> $path="dhcp"]);
>>      Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
>>      }
>>
>> in the dhcp script.
>>
>> but with the default priorities I can't see why that would fail.
>>
>>
>>
>> On Fri, Jan 17, 2020 at 9:00 AM os <adamp at os.pl <mailto:adamp at os.pl>>
>> wrote:
>>
>>      hello,
>>
>>
>>      I did some tests and  something is wrong.
>>      please see the sample configuration
>>
>>      ==> notice.zeek <==
>>
>>      event zeek_init()
>>           {
>>           local f = Log::get_filter(Notice::LOG, "default");
>>           f$interv = 1 min;
>>           Log::add_filter(Notice::LOG, f);
>>           }
>>
>>      ==> dhcp.zeek <==
>>
>>      event zeek_init()
>>           {
>>           local f = Log::get_filter(DHCP::LOG, "default");
>>           f$interv = 1 min;
>>           Log::add_filter(DHCP::LOG, f);
>>           }
>>
>>      ==> foo.sig <==
>>      signature foo {
>>         ip-proto == tcp
>>         tcp-state established,originator
>>         event "hello"
>>         payload /.*hello/
>>      }
>>
>>      ==> foo.zeek <==
>>      @load-sigs ./foo.sig
>>      event zeek_init()
>>            {
>>            local f = Log::get_filter(Signatures::LOG, "default");
>>            f$interv = 30 secs;
>>            Log::add_filter(Signatures::LOG, f);
>>            }
>>
>>      ==> start.zeek <==
>>
>>      @load ./notice.zeek
>>      @load ./dhcp.zeek
>>      @load ./foo.zeek
>>
>>      /usr/local/zeek/bin/zeek -r
>>      /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap  ./start.zeek
>>
>>
>>      expression error in
>>      /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
>>      579: no such index (Log::all_streams[Log::id])
>>      fatal error: errors occurred while initializing
>>
>>      when I make changes
>>
>>      #@load ./notice.zeek
>>      @load ./dhcp.zeek
>>      @load ./foo.zeek
>>
>>      or
>>
>>      @load ./notice.zeek
>>      #@load ./dhcp.zeek
>>      @load ./foo.zeek
>>
>>      or
>>
>>      @load ./notice.zeek
>>      @load ./dhcp.zeek
>>      #@load ./foo.zeek
>>
>>
>>      no error occurs after running
>>
>>      Adam
>>
>>
>>      W dniu 15.01.2020 o 23:30, os pisze:
>>      > Thank you for your response.
>>      > I did the test with your configuration and it works fine.
>>      > So I need to check my configuration carefully.
>>      >
>>      > Thank you for your time
>>      >
>>      >
>>      >
>>      > W dniu 15.01.2020 o 20:18, Justin Azoff pisze:
>>      >> How exactly are you reproducing that?
>>      >>
>>      >> I tried this:
>>      >>
>>      >> ==> foo.sig <==
>>      >> signature foo {
>>      >>    ip-proto == tcp
>>      >>    tcp-state established,originator
>>      >>    event "hello"
>>      >>    payload /.*hello/
>>      >> }
>>      >>
>>      >> ==> foo.zeek <==
>>      >> @load-sigs ./foo.sig
>>      >> event zeek_init()
>>      >>       {
>>      >>       local f = Log::get_filter(Signatures::LOG, "default");
>>      >>       f$interv = 30 secs;
>>      >>       Log::add_filter(Signatures::LOG, f);
>>      >>       }
>>      >>
>>      >> and just running zeek foo.zeek and after making 2 connections a
>>      minute
>>      >> apart ended up with 2 rotated log files.
>>      >>
>>      >>
>>      >> On Wed, Jan 15, 2020 at 1:18 PM os <adamp at os.pl
>>      <mailto:adamp at os.pl> <mailto:adamp at os.pl <mailto:adamp at os.pl>>>
>>      >> wrote:
>>      >>
>>      >>      hello members,
>>      >>
>>      >>      Please, can you help me
>>      >>
>>      >>      I have problem with log rotation for signature LOG (only)
>>      >>
>>      >>      when I use scripts ,
>>      >>
>>      >>      event zeek_init()
>>      >>           {
>>      >>           local f = Log::get_filter(Signatures::LOG,
>>      &quot;default&quot;);
>>      >>           f$interv = 1 min;
>>      >>           Log::add_filter(Signatures::LOG, f);
>>      >>           }
>>      >>
>>      >>      after run I have error.
>>      >>
>>      >>      expression error in
>>      >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
>>      line
>>      >>      579: no such index (Log::all_streams[Log::id])
>>      >>      fatal error: errors occurred while initializing
>>      >>
>>      >>      The problem occurs in versions 3.0.1; 3.1.0-dev.376
>>      >>
>>      >>      Thank you , hello Zeek Team,
>>      >>      Please, can you help me
>>      >>
>>      >>      I have problem with log rotation for signature LOG (only)
>>      >>      when I use scripts ,
>>      >>      event zeek_init()
>>      >>           {
>>      >>           local f = Log::get_filter(Signatures::LOG, "default");
>>      >>           f$interv = 1 min;
>>      >>           Log::add_filter(Signatures::LOG, f);
>>      >>           }
>>      >>        after run zeek  a see error.
>>      >>      expression error in
>>      >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
>>      line
>>      >>      579: no such index (Log::all_streams[Log::id])
>>      >>      fatal error: errors occurred while initializing
>>      >>
>>      >>      The problem occurs in versions 3.0.1; 3.1.0-dev.376
>>      >>
>>      >>      Thank you, for any help.
>>      >>
>>      >>      Adam
>>      >>      Adam
>>      >>
>>      >>
>>      >>
>>      >>
>>      >>      - - - - - - - - - - - - - - - - - - - -
>>      >>
>>      >>      H o s t i n g   z   d a r m o w y m   c e r t y f i k a t
>>      e m  S S
>>      >>      L   z a   p o l o w e - k l a t k a . p l
>>      >>      _______________________________________________
>>      >>      Zeek mailing list
>>      >> zeek at zeek.org <mailto:zeek at zeek.org> <mailto:zeek at zeek.org
>>      <mailto:zeek at zeek.org>>
>>      >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>      >>
>>      >>
>>      >>
>>      >> --
>>      >> Justin
>>      >
>>      >
>>      >
>>      >
>>      > - - - - - - - - - - - - - - - - - - - -
>>      >
>>      > H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m
>>       S S L   z a   p o l o w e - k l a t k a . p l
>>      > _______________________________________________
>>      > Zeek mailing list
>>      > zeek at zeek.org <mailto:zeek at zeek.org>
>>      > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>>
>>
>>
>>      - - - - - - - - - - - - - - - - - - - -
>>
>>      H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m  S S
>>      L   z a   p o l o w e - k l a t k a . p l
>>
>>
>>
>> -- 
>> Justin
>
>
>
>
> - - - - - - - - - - - - - - - - - - - -
>
> H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m   S S L   z a   p o l o w e - k l a t k a . p l
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek





- - - - - - - - - - - - - - - - - - - - 

H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m   S S L   z a   p o l o w e - k l a t k a . p l

More information about the Zeek mailing list