[Zeek] Signatures::LOG - rotation
os
adamp at os.pl
Mon Jan 27 01:26:27 PST 2020
I'm a bit confused and I don't understand why this is happening.
I changed :default_rotation_date_format
redef Log::default_rotation_date_format="%y-%m-%d_%H.%M.%S";
and the output log file have diffrent format, which in turn generates
an error
signatures.20-01-24_10.23.00.log
notice-20-01-24_10.22.34.log
/bin/mv: cannot stat 'signatures-20-01-24_10.23.00.log': No such file or
director
disable
#redef Log::default_rotation_date_format="%y-%m-%d_%H.%M.%S";
default settings
Log::default_rotation_date_format
Type: string
Attributes: &redef
Default: "%Y-%m-%d-%H-%M-%S"
output file:
dns-20-01-24_10.22.44.log
ntp-20-01-24_10.22.34.log
signatures.2020-01-24-10-23-00.log
notice-20-01-24_10.22.34.log
ntp-20-01-24_10.23.00.log
weird-20-01-24_10.22.34.log
and error
/bin/mv: cannot stat 'signatures-20-01-24_10.23.00.log': No such file or
directory
what does the output file format depend on once is "-" and once is "."
Thank you for answers.
Adam
W dniu 24.01.2020 o 11:12, os pisze:
> hello,
>
> Another problem with the log file format - default settings
> ntp-20-01-24_10.22.34.log
> notice.2020-01-24-10-23-00.log
>
> Thank you for your help and time
>
>
> W dniu 17.01.2020 o 20:59, Justin Azoff pisze:
>> Ah, you should change yours to -5, don't modify the shipped scripts.
>>
>> I think that change is correct though and that this is a bug in the
>> signatures script.
>>
>> running this, I can see that almost every script sets a priority of 5
>> for the zeek_init event:
>>
>> fgrep -r Log::create_str scripts/ -B 2|grep 'event zeek_init'
>>
>> there are only 3 that don't:
>>
>> scripts//base/frameworks/signatures/main.zeek-event zeek_init()
>> scripts//policy/files/x509/log-ocsp.zeek-event zeek_init()
>> scripts//policy/protocols/conn/known-hosts.zeek-event zeek_init()
>>
>> which explains why you were having this problem.. without a priority
>> the default is 0, and the two events will run in an undefined order..
>> for me they were running in the order that worked, for you they were
>> running in the other order and you were hitting the bug.
>>
>>
>> On Fri, Jan 17, 2020 at 2:02 PM os <adamp at os.pl <mailto:adamp at os.pl>>
>> wrote:
>>
>> hello,
>>
>> I changed the priority in the file and it looks like it works
>>
>> /usr/local/zeek/share/zeek/base/frameworks/signatures/main.zeek
>>
>> event zeek_init() &priority=5
>>
>> {
>>
>> Log::create_stream(Signatures::LOG, [$columns=Info,
>> $ev=log_signature,
>> $path="signatures"]);
>>
>> }
>>
>>
>> Thank you for your help and time
>>
>>
>>
>>
>>
>> W dniu 17.01.2020 o 16:47, os pisze:
>> > very strange, becouse I didn't change priorities anywhere
>> >
>> >
>> > W dniu 17.01.2020 o 15:27, Justin Azoff pisze:
>> >> That still works for me. The error you are getting is from
>> add_filter
>> >> failing to find a log stream with that ID,
>> but Log::create_stream is
>> >> what creates that. I can make it fail like that if I mess with the
>> >> priorities, like
>> >>
>> >> event zeek_init() &priority=100
>> >> {
>> >> local f = Log::get_filter(DHCP::LOG, "default");
>> >> f$interv = 1 min;
>> >> Log::add_filter(DHCP::LOG, f);
>> >> }
>> >>
>> >> which makes that run before the
>> >>
>> >> event zeek_init() &priority=5
>> >> {
>> >> Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp,
>> >> $path="dhcp"]);
>> >> Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
>> >> }
>> >>
>> >> in the dhcp script.
>> >>
>> >> but with the default priorities I can't see why that would fail.
>> >>
>> >>
>> >>
>> >> On Fri, Jan 17, 2020 at 9:00 AM os <adamp at os.pl
>> <mailto:adamp at os.pl> <mailto:adamp at os.pl <mailto:adamp at os.pl>>>
>> >> wrote:
>> >>
>> >> hello,
>> >>
>> >>
>> >> I did some tests and something is wrong.
>> >> please see the sample configuration
>> >>
>> >> ==> notice.zeek <==
>> >>
>> >> event zeek_init()
>> >> {
>> >> local f = Log::get_filter(Notice::LOG, "default");
>> >> f$interv = 1 min;
>> >> Log::add_filter(Notice::LOG, f);
>> >> }
>> >>
>> >> ==> dhcp.zeek <==
>> >>
>> >> event zeek_init()
>> >> {
>> >> local f = Log::get_filter(DHCP::LOG, "default");
>> >> f$interv = 1 min;
>> >> Log::add_filter(DHCP::LOG, f);
>> >> }
>> >>
>> >> ==> foo.sig <==
>> >> signature foo {
>> >> ip-proto == tcp
>> >> tcp-state established,originator
>> >> event "hello"
>> >> payload /.*hello/
>> >> }
>> >>
>> >> ==> foo.zeek <==
>> >> @load-sigs ./foo.sig
>> >> event zeek_init()
>> >> {
>> >> local f = Log::get_filter(Signatures::LOG, "default");
>> >> f$interv = 30 secs;
>> >> Log::add_filter(Signatures::LOG, f);
>> >> }
>> >>
>> >> ==> start.zeek <==
>> >>
>> >> @load ./notice.zeek
>> >> @load ./dhcp.zeek
>> >> @load ./foo.zeek
>> >>
>> >> /usr/local/zeek/bin/zeek -r
>> >> /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap ./start.zeek
>> >>
>> >>
>> >> expression error in
>> >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
>> line
>> >> 579: no such index (Log::all_streams[Log::id])
>> >> fatal error: errors occurred while initializing
>> >>
>> >> when I make changes
>> >>
>> >> #@load ./notice.zeek
>> >> @load ./dhcp.zeek
>> >> @load ./foo.zeek
>> >>
>> >> or
>> >>
>> >> @load ./notice.zeek
>> >> #@load ./dhcp.zeek
>> >> @load ./foo.zeek
>> >>
>> >> or
>> >>
>> >> @load ./notice.zeek
>> >> @load ./dhcp.zeek
>> >> #@load ./foo.zeek
>> >>
>> >>
>> >> no error occurs after running
>> >>
>> >> Adam
>> >>
>> >>
>> >> W dniu 15.01.2020 o 23:30, os pisze:
>> >> > Thank you for your response.
>> >> > I did the test with your configuration and it works fine.
>> >> > So I need to check my configuration carefully.
>> >> >
>> >> > Thank you for your time
>> >> >
>> >> >
>> >> >
>> >> > W dniu 15.01.2020 o 20:18, Justin Azoff pisze:
>> >> >> How exactly are you reproducing that?
>> >> >>
>> >> >> I tried this:
>> >> >>
>> >> >> ==> foo.sig <==
>> >> >> signature foo {
>> >> >> ip-proto == tcp
>> >> >> tcp-state established,originator
>> >> >> event "hello"
>> >> >> payload /.*hello/
>> >> >> }
>> >> >>
>> >> >> ==> foo.zeek <==
>> >> >> @load-sigs ./foo.sig
>> >> >> event zeek_init()
>> >> >> {
>> >> >> local f = Log::get_filter(Signatures::LOG,
>> "default");
>> >> >> f$interv = 30 secs;
>> >> >> Log::add_filter(Signatures::LOG, f);
>> >> >> }
>> >> >>
>> >> >> and just running zeek foo.zeek and after making 2
>> connections a
>> >> minute
>> >> >> apart ended up with 2 rotated log files.
>> >> >>
>> >> >>
>> >> >> On Wed, Jan 15, 2020 at 1:18 PM os <adamp at os.pl
>> <mailto:adamp at os.pl>
>> >> <mailto:adamp at os.pl <mailto:adamp at os.pl>>
>> <mailto:adamp at os.pl <mailto:adamp at os.pl> <mailto:adamp at os.pl
>> <mailto:adamp at os.pl>>>>
>> >> >> wrote:
>> >> >>
>> >> >> hello members,
>> >> >>
>> >> >> Please, can you help me
>> >> >>
>> >> >> I have problem with log rotation for signature LOG
>> (only)
>> >> >>
>> >> >> when I use scripts ,
>> >> >>
>> >> >> event zeek_init()
>> >> >> {
>> >> >> local f = Log::get_filter(Signatures::LOG,
>> >> "default");
>> >> >> f$interv = 1 min;
>> >> >> Log::add_filter(Signatures::LOG, f);
>> >> >> }
>> >> >>
>> >> >> after run I have error.
>> >> >>
>> >> >> expression error in
>> >> >>
>> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
>> >> line
>> >> >> 579: no such index (Log::all_streams[Log::id])
>> >> >> fatal error: errors occurred while initializing
>> >> >>
>> >> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376
>> >> >>
>> >> >> Thank you , hello Zeek Team,
>> >> >> Please, can you help me
>> >> >>
>> >> >> I have problem with log rotation for signature LOG
>> (only)
>> >> >> when I use scripts ,
>> >> >> event zeek_init()
>> >> >> {
>> >> >> local f = Log::get_filter(Signatures::LOG,
>> "default");
>> >> >> f$interv = 1 min;
>> >> >> Log::add_filter(Signatures::LOG, f);
>> >> >> }
>> >> >> after run zeek a see error.
>> >> >> expression error in
>> >> >>
>> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
>> >> line
>> >> >> 579: no such index (Log::all_streams[Log::id])
>> >> >> fatal error: errors occurred while initializing
>> >> >>
>> >> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376
>> >> >>
>> >> >> Thank you, for any help.
>> >> >>
>> >> >> Adam
>> >> >> Adam
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> - - - - - - - - - - - - - - - - - - - -
>> >> >>
>> >> >> H o s t i n g z d a r m o w y m c e r t y f
>> i k a t
>> >> e m S S
>> >> >> L z a p o l o w e - k l a t k a . p l
>> >> >> _______________________________________________
>> >> >> Zeek mailing list
>> >> >> zeek at zeek.org <mailto:zeek at zeek.org>
>> <mailto:zeek at zeek.org <mailto:zeek at zeek.org>>
>> <mailto:zeek at zeek.org <mailto:zeek at zeek.org>
>> >> <mailto:zeek at zeek.org <mailto:zeek at zeek.org>>>
>> >> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Justin
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > - - - - - - - - - - - - - - - - - - - -
>> >> >
>> >> > H o s t i n g z d a r m o w y m c e r t y f i k a
>> t e m
>> >> S S L z a p o l o w e - k l a t k a . p l
>> >> > _______________________________________________
>> >> > Zeek mailing list
>> >> > zeek at zeek.org <mailto:zeek at zeek.org>
>> <mailto:zeek at zeek.org <mailto:zeek at zeek.org>>
>> >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> - - - - - - - - - - - - - - - - - - - -
>> >>
>> >> H o s t i n g z d a r m o w y m c e r t y f i k a t
>> e m S S
>> >> L z a p o l o w e - k l a t k a . p l
>> >>
>> >>
>> >>
>> >> --
>> >> Justin
>> >
>> >
>> >
>> >
>> > - - - - - - - - - - - - - - - - - - - -
>> >
>> > H o s t i n g z d a r m o w y m c e r t y f i k a t e m
>> S S L z a p o l o w e - k l a t k a . p l
>> > _______________________________________________
>> > Zeek mailing list
>> > zeek at zeek.org <mailto:zeek at zeek.org>
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>>
>>
>>
>> - - - - - - - - - - - - - - - - - - - -
>>
>> H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S
>> L z a p o l o w e - k l a t k a . p l
>>
>>
>>
>> --
>> Justin
>
>
>
>
> - - - - - - - - - - - - - - - - - - - -
>
> H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
- - - - - - - - - - - - - - - - - - - -
H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l
More information about the Zeek
mailing list