[Zeek] How to debug why some scripts are not loaded?

Justin Azoff justin at corelight.com
Fri Jun 5 11:35:10 PDT 2020 

Well if it's in the most recent loaded_scripts log it's definitely being loaded.

Are you looking at the  stdout.log in /nsm/zeek/spool/manager? That's
where the dovehawk prints would end up since it only runs on the
manager node.

it's probably a good idea to change all the prints to be reporter info
or debug, that way they end up in the normal logs.  3.1 has an option
'Log::print_to_log' that will send all print output to a normal log
stream, but if you are on 3.0.x it doesn't exist there.

On Fri, Jun 5, 2020 at 3:26 AM Carlos Lopez <clopmz at outlook.com> wrote:
>
> Hi all,
>
>
>
> I have a strange problem with dovehawk under Zeek 3.0.6… Yesterday, I have refreshed all installed packages with zkg. Only community-id’s package was updated. After this, I have restarted all Zeek’s cluster. And dovehawk doesn’t works …
>
>
>
> Reviewing loaded_script.log, dovehawk is loaded:
>
>
>
> {"name":"  /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/__load__.zeek"}
>
> {"name":"    /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/add-node-names/__load__.zeek"}
>
> {"name":"      /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/add-node-names/add-node-names.zeek"}
>
> {"name":"    /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/__load__.zeek"}
>
> {"name":"      /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/scripts/dovehawk_expire.zeek"}
>
> {"name":"        /opt/zeek/share/zeek/policy/frameworks/intel/seen/__load__.zeek"}
>
> {"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/conn-established.zeek"}
>
> {"name":"            /opt/zeek/share/zeek/policy/frameworks/intel/seen/where-locations.zeek"}
>
> {"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/dns.zeek"}
>
> {"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/file-hashes.zeek"}
>
> {"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/file-names.zeek"}
>
> {"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/http-headers.zeek"}
>
> {"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/http-url.zeek"}
>
> {"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/pubkey-hashes.zeek"}
>
> {"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/ssl.zeek"}
>
> {"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/smb-filenames.zeek"}
>
> {"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/smtp.zeek"}
>
> {"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/smtp-url-extraction.zeek"}
>
> {"name":"          /opt/zeek/share/zeek/policy/frameworks/intel/seen/x509.zeek"}
>
> {"name":"        /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/scripts/dovehawk.zeek"}
>
> {"name":"          /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/scripts/config.zeek"}
>
>
>
> … but, no action is done (dovehawk reports to stdout.log if all goes well, and in reporter.og if something goes wrong).
>
>
>
> How can I debug why dovehawk is not working?
>
>
>
> Regards,
>
> C. L. Martinez
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin

More information about the Zeek mailing list