[Zeek] Is it possible to split the Weird.log?

ap pumphrey.adam at gmail.com
Fri Jan 31 09:09:30 PST 2020 

Hi Jorge, 

You’re in luck.  Log Filters allow you to do just that.  With filters you have two primary tools at your disposal:

$pred  -  filter out events before they are written to the log (https://docs.zeek.org/en/stable/frameworks/logging.html#filter-log-records <https://docs.zeek.org/en/stable/frameworks/logging.html#filter-log-records>)
$path_func - determine which log file each event should be written to (https://docs.zeek.org/en/stable/frameworks/logging.html#determine-log-path-dynamically <https://docs.zeek.org/en/stable/frameworks/logging.html#determine-log-path-dynamically>)

Those links have some concise examples of how to use each and info about working with filters in general.  There is also a blog from ’12 that has some good examples https://blog.zeek.org/2012/02/filtering-logs-with-bro.html <https://blog.zeek.org/2012/02/filtering-logs-with-bro.html>.  It's from the bro days but the concepts are still relevant.  

Adam 

> On Jan 31, 2020, at 6:27 AM, Jorge Garcia Rodriguez <jgarciar at sia.es> wrote:
> 
> Hi everyone,
>  
> I have been investigating this matter with no succes, and i ´ve decided to send this mail in hopes of some of you could help me.
>  
> In 2 of my zeeks I have a lot of entries in the Weird.log about “bad_HTTP_request”, this generates a lot of traffic that I want to split from the other Weird events before forwarding the events.
>  
> Is it possible to send this “bad_HTTP_request” to another custom log like “bad_request.log”?
>  
> If not possible the first option, is it possible to stop generating this events?
>  
> Thank you all.
>  
> Regards.
>  
>  
>  
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org <mailto:zeek at zeek.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek <http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200131/cc40bb91/attachment-0001.html

More information about the Zeek mailing list