Custom Script for log field addition.

Blake_Moss1 · June 2, 2017, 3:19pm

Hi all,

I have a question regarding deploying custom scripts across a distributed bro cluster (manager, multiple worker nodes, etc.). I have a particular custom script which add an extra field to the “conn.log”. When I load this script in my local.bro (via @load myscript) on my manager node and use broctl to deploy this across the cluster I do not get an error. However the extra field in my “conn.log” does not appear in the /usr/local/bro/logs/current/conn.log. I did some looking around and found that the field was however being added to the /usr/local/bro/spool/bro/conn.log. I have tried loading this script in the local-worker.bro, and local-manager.bro but have had no success. Here is my script: module

MyScript.bro

Azoff_Justin_S · June 2, 2017, 3:34pm

Looks like my script

/usr/local/bro/logs/current/conn.log and /usr/local/bro/spool/bro/conn.log should be the same file

/usr/local/bro/logs/current should be a symlink to /usr/local/bro/spool/bro

However, on a cluster the log files should really be under spool/manager or spool/logger, unless you have something like this in node.cfg

[bro]
type=manager
host=..

instead of

[manager]
type=manager
host=..

In any case, you should never add things to local-worker.bro or local-manager.bro.

Topic		Replies	Views
adding fields to HTTP log - cluster environment Zeek	3	64	May 6, 2022
log streams in a bro cluster Zeek	9	83	May 6, 2022
Generate New Log using Customized Script Zeek	2	63	May 6, 2022
loading modules and automatically using custom scripts Zeek	1	79	May 6, 2022
logging locally and to remote logger Zeek	4	62	May 6, 2022

Custom Script for log field addition.

Related Topics