changing conn logging to SQLite

Abdella_Battou · April 11, 2020, 3:19pm

I am new to Zeek and I would like to redist the conn logging to SQLite. The documentation says that this is natively supported.

I found this filter “sqlite-conn-filte.zeek” in one of the post

event zeek_init()
{
local filter: Log::Filter =
[
$name=“sqlite”,
$path="/var/db/conn",
$config=table([“tablename”] = “conn”),
$writer=Log::WRITER_SQLITE
];

Log::add_filter(Conn::LOG, filter);
}

my question is where to put (which directory) ? and do I need to invoke it somewhere ?

cheers,
Abdella

Jon_Siwek · April 15, 2020, 12:32am

Where you put that depends on how you run/deploy Zeek, but the usual
way involving ZeekControl means you could just add it to the end of
your local.zeek file which gets installed by default (if built from
source) at /usr/local/zeek/share/zeek/site/local.zeek

- Jon

Topic		Replies	Views
Multiple logs in one SQLite database Development development	3	74	May 6, 2022
Changing logging defaults Zeek	2	85	May 6, 2022
Suppress log file Zeek	2	64	May 6, 2022
Need help splitting HTTP log Zeek	2	138	May 6, 2022
Zeek json log files Zeek	4	265	May 10, 2023

changing conn logging to SQLite

Related Topics