I am developing an asset management app, in the backend I am using zeek for passive asset and services discovery.
In my front side I have some dashboards for gathered data to visualize data better for users.
On the frontend I have two visuals with these titles:
- Inactive services over time (Counting inactive services which were not used in period of time )
- Services usage frequency (Counting service usage base on request to that specific service )
To filling these visuals I am building a zeek custom script to get neccessary data to feed them since parsing conn.log might be tricky and needs heavier load on my back end.
I have some errors in my script and I am no expert in zeek scripting so any info helps me alot
Here is my zeek script:
@load base/frameworks/cluster
module ServiceMonitor;
export {
## Configuration for monitored services
redef enum Log::ID += { LOG_ServiceMonitor };
## Table to hold service usage stats
global service_usage: table[addr, port] of record(
connection_count: count,
last_seen: time
) &default=[0, 0 secs];
}
event zeek_init() {
# Set up log for tracking
Log::create_stream(Log::LOG_ServiceMonitor, [$columns=Info, $path="service_monitor"]);
print "Service Monitor script initialized.";
}
event connection_established(c: connection) {
local dst = c$id$resp_h;
local dport = c$id$resp_p;
# Only monitor connections to local services
if (Site::is_local_addr(dst)) {
# Update the service usage stats
service_usage[dst, dport]$connection_count += 1;
service_usage[dst, dport]$last_seen = network_time;
# Log connection activity
Log::write(Log::LOG_ServiceMonitor, [$ts=network_time, $src_ip=c$id$orig_h, $dst_ip=dst, $dst_port=dport, $count=service_usage[dst, dport]$connection_count]);
}
}
event timer(t: time) {
# Check for inactive services periodically (e.g., every 60 seconds)
local threshold = 300 secs; # 5 minutes inactivity threshold
for (service in service_usage) {
local last_seen = service_usage[service]$last_seen;
if (network_time - last_seen > threshold) {
print fmt("Service %s:%d is inactive for %d seconds", service[0], service[1], network_time - last_seen);
}
}
}
# Periodic execution of timer event
event zeek_done() {
schedule 60 secs { timer(network_time); };
}
I tried to check syntax with ‘zeek -C script.zeek’ command and I am getting some errors
Can anyone check and revise my script to help??