[Zeek] Signatures::LOG - rotation
os
adamp at os.pl
Fri Jan 24 02:12:31 PST 2020
hello,
Another problem with the log file format - default settings
ntp-20-01-24_10.22.34.log
notice.2020-01-24-10-23-00.log
Thank you for your help and time
W dniu 17.01.2020 o 20:59, Justin Azoff pisze:
> Ah, you should change yours to -5, don't modify the shipped scripts.
>
> I think that change is correct though and that this is a bug in the
> signatures script.
>
> running this, I can see that almost every script sets a priority of 5
> for the zeek_init event:
>
> fgrep -r Log::create_str scripts/ -B 2|grep 'event zeek_init'
>
> there are only 3 that don't:
>
> scripts//base/frameworks/signatures/main.zeek-event zeek_init()
> scripts//policy/files/x509/log-ocsp.zeek-event zeek_init()
> scripts//policy/protocols/conn/known-hosts.zeek-event zeek_init()
>
> which explains why you were having this problem.. without a priority
> the default is 0, and the two events will run in an undefined order..
> for me they were running in the order that worked, for you they were
> running in the other order and you were hitting the bug.
>
>
> On Fri, Jan 17, 2020 at 2:02 PM os <adamp at os.pl <mailto:adamp at os.pl>>
> wrote:
>
> hello,
>
> I changed the priority in the file and it looks like it works
>
> /usr/local/zeek/share/zeek/base/frameworks/signatures/main.zeek
>
> event zeek_init() &priority=5
>
> {
>
> Log::create_stream(Signatures::LOG, [$columns=Info,
> $ev=log_signature,
> $path="signatures"]);
>
> }
>
>
> Thank you for your help and time
>
>
>
>
>
> W dniu 17.01.2020 o 16:47, os pisze:
> > very strange, becouse I didn't change priorities anywhere
> >
> >
> > W dniu 17.01.2020 o 15:27, Justin Azoff pisze:
> >> That still works for me. The error you are getting is from
> add_filter
> >> failing to find a log stream with that ID,
> but Log::create_stream is
> >> what creates that. I can make it fail like that if I mess with the
> >> priorities, like
> >>
> >> event zeek_init() &priority=100
> >> {
> >> local f = Log::get_filter(DHCP::LOG, "default");
> >> f$interv = 1 min;
> >> Log::add_filter(DHCP::LOG, f);
> >> }
> >>
> >> which makes that run before the
> >>
> >> event zeek_init() &priority=5
> >> {
> >> Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp,
> >> $path="dhcp"]);
> >> Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
> >> }
> >>
> >> in the dhcp script.
> >>
> >> but with the default priorities I can't see why that would fail.
> >>
> >>
> >>
> >> On Fri, Jan 17, 2020 at 9:00 AM os <adamp at os.pl
> <mailto:adamp at os.pl> <mailto:adamp at os.pl <mailto:adamp at os.pl>>>
> >> wrote:
> >>
> >> hello,
> >>
> >>
> >> I did some tests and something is wrong.
> >> please see the sample configuration
> >>
> >> ==> notice.zeek <==
> >>
> >> event zeek_init()
> >> {
> >> local f = Log::get_filter(Notice::LOG, "default");
> >> f$interv = 1 min;
> >> Log::add_filter(Notice::LOG, f);
> >> }
> >>
> >> ==> dhcp.zeek <==
> >>
> >> event zeek_init()
> >> {
> >> local f = Log::get_filter(DHCP::LOG, "default");
> >> f$interv = 1 min;
> >> Log::add_filter(DHCP::LOG, f);
> >> }
> >>
> >> ==> foo.sig <==
> >> signature foo {
> >> ip-proto == tcp
> >> tcp-state established,originator
> >> event "hello"
> >> payload /.*hello/
> >> }
> >>
> >> ==> foo.zeek <==
> >> @load-sigs ./foo.sig
> >> event zeek_init()
> >> {
> >> local f = Log::get_filter(Signatures::LOG, "default");
> >> f$interv = 30 secs;
> >> Log::add_filter(Signatures::LOG, f);
> >> }
> >>
> >> ==> start.zeek <==
> >>
> >> @load ./notice.zeek
> >> @load ./dhcp.zeek
> >> @load ./foo.zeek
> >>
> >> /usr/local/zeek/bin/zeek -r
> >> /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap ./start.zeek
> >>
> >>
> >> expression error in
> >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
> line
> >> 579: no such index (Log::all_streams[Log::id])
> >> fatal error: errors occurred while initializing
> >>
> >> when I make changes
> >>
> >> #@load ./notice.zeek
> >> @load ./dhcp.zeek
> >> @load ./foo.zeek
> >>
> >> or
> >>
> >> @load ./notice.zeek
> >> #@load ./dhcp.zeek
> >> @load ./foo.zeek
> >>
> >> or
> >>
> >> @load ./notice.zeek
> >> @load ./dhcp.zeek
> >> #@load ./foo.zeek
> >>
> >>
> >> no error occurs after running
> >>
> >> Adam
> >>
> >>
> >> W dniu 15.01.2020 o 23:30, os pisze:
> >> > Thank you for your response.
> >> > I did the test with your configuration and it works fine.
> >> > So I need to check my configuration carefully.
> >> >
> >> > Thank you for your time
> >> >
> >> >
> >> >
> >> > W dniu 15.01.2020 o 20:18, Justin Azoff pisze:
> >> >> How exactly are you reproducing that?
> >> >>
> >> >> I tried this:
> >> >>
> >> >> ==> foo.sig <==
> >> >> signature foo {
> >> >> ip-proto == tcp
> >> >> tcp-state established,originator
> >> >> event "hello"
> >> >> payload /.*hello/
> >> >> }
> >> >>
> >> >> ==> foo.zeek <==
> >> >> @load-sigs ./foo.sig
> >> >> event zeek_init()
> >> >> {
> >> >> local f = Log::get_filter(Signatures::LOG,
> "default");
> >> >> f$interv = 30 secs;
> >> >> Log::add_filter(Signatures::LOG, f);
> >> >> }
> >> >>
> >> >> and just running zeek foo.zeek and after making 2
> connections a
> >> minute
> >> >> apart ended up with 2 rotated log files.
> >> >>
> >> >>
> >> >> On Wed, Jan 15, 2020 at 1:18 PM os <adamp at os.pl
> <mailto:adamp at os.pl>
> >> <mailto:adamp at os.pl <mailto:adamp at os.pl>>
> <mailto:adamp at os.pl <mailto:adamp at os.pl> <mailto:adamp at os.pl
> <mailto:adamp at os.pl>>>>
> >> >> wrote:
> >> >>
> >> >> hello members,
> >> >>
> >> >> Please, can you help me
> >> >>
> >> >> I have problem with log rotation for signature LOG
> (only)
> >> >>
> >> >> when I use scripts ,
> >> >>
> >> >> event zeek_init()
> >> >> {
> >> >> local f = Log::get_filter(Signatures::LOG,
> >> "default");
> >> >> f$interv = 1 min;
> >> >> Log::add_filter(Signatures::LOG, f);
> >> >> }
> >> >>
> >> >> after run I have error.
> >> >>
> >> >> expression error in
> >> >>
> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
> >> line
> >> >> 579: no such index (Log::all_streams[Log::id])
> >> >> fatal error: errors occurred while initializing
> >> >>
> >> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376
> >> >>
> >> >> Thank you , hello Zeek Team,
> >> >> Please, can you help me
> >> >>
> >> >> I have problem with log rotation for signature LOG
> (only)
> >> >> when I use scripts ,
> >> >> event zeek_init()
> >> >> {
> >> >> local f = Log::get_filter(Signatures::LOG,
> "default");
> >> >> f$interv = 1 min;
> >> >> Log::add_filter(Signatures::LOG, f);
> >> >> }
> >> >> after run zeek a see error.
> >> >> expression error in
> >> >>
> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
> >> line
> >> >> 579: no such index (Log::all_streams[Log::id])
> >> >> fatal error: errors occurred while initializing
> >> >>
> >> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376
> >> >>
> >> >> Thank you, for any help.
> >> >>
> >> >> Adam
> >> >> Adam
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> - - - - - - - - - - - - - - - - - - - -
> >> >>
> >> >> H o s t i n g z d a r m o w y m c e r t y f
> i k a t
> >> e m S S
> >> >> L z a p o l o w e - k l a t k a . p l
> >> >> _______________________________________________
> >> >> Zeek mailing list
> >> >> zeek at zeek.org <mailto:zeek at zeek.org>
> <mailto:zeek at zeek.org <mailto:zeek at zeek.org>>
> <mailto:zeek at zeek.org <mailto:zeek at zeek.org>
> >> <mailto:zeek at zeek.org <mailto:zeek at zeek.org>>>
> >> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Justin
> >> >
> >> >
> >> >
> >> >
> >> > - - - - - - - - - - - - - - - - - - - -
> >> >
> >> > H o s t i n g z d a r m o w y m c e r t y f i k a
> t e m
> >> S S L z a p o l o w e - k l a t k a . p l
> >> > _______________________________________________
> >> > Zeek mailing list
> >> > zeek at zeek.org <mailto:zeek at zeek.org>
> <mailto:zeek at zeek.org <mailto:zeek at zeek.org>>
> >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >>
> >>
> >>
> >>
> >>
> >> - - - - - - - - - - - - - - - - - - - -
> >>
> >> H o s t i n g z d a r m o w y m c e r t y f i k a t
> e m S S
> >> L z a p o l o w e - k l a t k a . p l
> >>
> >>
> >>
> >> --
> >> Justin
> >
> >
> >
> >
> > - - - - - - - - - - - - - - - - - - - -
> >
> > H o s t i n g z d a r m o w y m c e r t y f i k a t e m
> S S L z a p o l o w e - k l a t k a . p l
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org <mailto:zeek at zeek.org>
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
>
>
> - - - - - - - - - - - - - - - - - - - -
>
> H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S
> L z a p o l o w e - k l a t k a . p l
>
>
>
> --
> Justin
- - - - - - - - - - - - - - - - - - - -
H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l
More information about the Zeek
mailing list