Hi all,
I have a strange problem with dovehawk under Zeek 3.0.6… Yesterday, I have refreshed all installed packages with zkg. Only community-id’s package was updated. After this, I have restarted all Zeek’s cluster. And dovehawk doesn’t works …
Reviewing loaded_script.log, dovehawk is loaded:
{“name”:" /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/load.zeek"}
{“name”:" /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/add-node-names/load.zeek"}
{“name”:" /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/add-node-names/add-node-names.zeek"}
{“name”:" /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/load.zeek"}
{“name”:" /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/scripts/dovehawk_expire.zeek"}
{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/load.zeek"}
{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/conn-established.zeek"}
{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/where-locations.zeek"}
{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/dns.zeek"}
{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/file-hashes.zeek"}
{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/file-names.zeek"}
{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/http-headers.zeek"}
{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/http-url.zeek"}
{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/pubkey-hashes.zeek"}
{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/ssl.zeek"}
{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/smb-filenames.zeek"}
{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/smtp.zeek"}
{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/smtp-url-extraction.zeek"}
{“name”:" /opt/zeek/share/zeek/policy/frameworks/intel/seen/x509.zeek"}
{“name”:" /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/scripts/dovehawk.zeek"}
{“name”:" /nsm/zeek/spool/installed-scripts-do-not-touch/site/packages/dovehawk/scripts/config.zeek"}
… but, no action is done (dovehawk reports to stdout.log if all goes well, and in reporter.og if something goes wrong).
How can I debug why dovehawk is not working?