I am attempting to read conn.log data into a zeek table.
I am following the example on zeek docs here: Input Framework — Book of Zeek (git/master)
I am having issues with setting the table index to the following conn.log fields: id.orig_h, id.resp_h
The example from zeek docs:
type Idx: record {
ip: addr;
};
My modified code is:
type Idx: record {
id.orig_h: addr;
id.resp_h: addr;
};
I get the following error:
The input reader maps the Idx variables to the field names in the log file. If a period (.) is an invalid character for zeek script variable names, is there an escape character or substitution I need to use?
I have confirmed that the error is indeed resulting from an illegal field declaration as a period is not a valid character. But that still does not solve my problem, as I don’t see a way to reference that log data with the input framework outside of the field name.
5.2.1. Identifiers — Spicy v1.9.0-dev.37 (zeek.org)
Hey @bjeffries - you can solve parsing the . separated fields by using nested types in Idx.
# Read a conn.log into conn_table indexed by orig_h and resp_h.
@load base/protocols/conn
redef exit_only_after_terminate=T;
type my_conn_id: record {
orig_h: addr;
resp_h: addr;
};
type Idx: record {
id: my_conn_id;
};
global conn_table: table[my_conn_id] of Conn::Info = table();
event Input::end_of_data(name: string, source: string) {
print conn_table;
terminate();
}
event zeek_init() {
Input::add_table([$source="conn.log", $name="conn.log",
$idx=Idx, $val=Conn::Info, $destination=conn_table]);
Input::remove("conn.log");
}
Depending on your use-case, for reading conn.log, you should probably use uid: string as an index instead of orig_h/resp_h. Alternatively, use Input::add_event() and act on every individual log line instead of building up a table.
Note that above snippet re-uses Conn::Info as value instead of a custom type.
Hope this helps.
@awelzel Thank you so much Arne!
