I customized and developed a script called my.zeek to supplement the parsed fields of the HTTP protocol and write them to kafka. When I used zeek - r xx.pcap my.zeek, I saw that the supplemented fields in kafka had values. However, when I added @ load site/http/main (the main. zeek content is my. zeek) at the end of zeek/share/zeek/site/local. zeek, and ran zeekctl deploy, I saw that there were fields in kafka that I wanted to supplement, but the value was ko. Why? Is there a problem with this custom development method? Looking forward to someone helping me answer, thank you!!!
Hi there and welcome!
It sounds like you’re quite close since it works in your local testing. Are you sure the clusterized Zeek setup sees suitable traffic? I assume by “ko” you mean those fields are in the logs (confirming that your site/http/main.zeek did get deployed and loaded), but are defined &optional and have remained unset.
You could also verify via zeekctl scripts that your script indeed gets loaded when and where you expect it, and check the other Zeek logs for clues.
Best,
Christian