How to debug why some scripts are not loaded?

Hi all,

I have a strange problem with dovehawk under Zeek 3.0.6… Yesterday, I have refreshed all installed packages with zkg. Only community-id’s package was updated. After this, I have restarted all Zeek’s cluster. And dovehawk doesn’t works …

Reviewing loaded_script.log, dovehawk is loaded:

{“name”:" /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/load.zeek"}

{“name”:" /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/add-node-names/load.zeek"}

{“name”:" /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/add-node-names/add-node-names.zeek"}

{“name”:" /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/load.zeek"}

{“name”:" /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/scripts/dovehawk_expire.zeek"}

{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/load.zeek"}

{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/conn-established.zeek"}

{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/where-locations.zeek"}

{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/dns.zeek"}

{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/file-hashes.zeek"}

{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/file-names.zeek"}

{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/http-headers.zeek"}

{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/http-url.zeek"}

{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/pubkey-hashes.zeek"}

{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/ssl.zeek"}

{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/smb-filenames.zeek"}

{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/smtp.zeek"}

{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/smtp-url-extraction.zeek"}

{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/x509.zeek"}

{“name”:" /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/scripts/dovehawk.zeek"}

{“name”:" /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/scripts/config.zeek"}

… but, no action is done (dovehawk reports to stdout.log if all goes well, and in reporter.og if something goes wrong).

How can I debug why dovehawk is not working?

Well if it's in the most recent loaded_scripts log it's definitely being loaded.

Are you looking at the stdout.log in /nsm/zeek/spool/manager? That's
where the dovehawk prints would end up since it only runs on the
manager node.

it's probably a good idea to change all the prints to be reporter info
or debug, that way they end up in the normal logs. 3.1 has an option
'Log::print_to_log' that will send all print output to a normal log
stream, but if you are on 3.0.x it doesn't exist there.