Signatures::LOG - rotation

hello members,

Please, can you help me

I have problem with log rotation for signature LOG (only)

when I use scripts ,

event zeek_init()
{
local f = Log::get_filter(Signatures::LOG, "default");
f$interv = 1 min;
Log::add_filter(Signatures::LOG, f);
}

after run I have error.

expression error in /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line 579: no such index (Log::all_streams[Log::id])
fatal error: errors occurred while initializing

The problem occurs in versions 3.0.1; 3.1.0-dev.376

Thank you , hello Zeek Team,
Please, can you help me

I have problem with log rotation for signature LOG (only)
when I use scripts ,
event zeek_init()
{
local f = Log::get_filter(Signatures::LOG, "default");
f$interv = 1 min;
Log::add_filter(Signatures::LOG, f);
}
after run zeek a see error.
expression error in /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line 579: no such index (Log::all_streams[Log::id])
fatal error: errors occurred while initializing

The problem occurs in versions 3.0.1; 3.1.0-dev.376

Thank you, for any help.

Adam

- - - - - - - - - - - - - - - - - - - -

H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l

How exactly are you reproducing that?

I tried this:

==> foo.sig <==
signature foo {
ip-proto == tcp
tcp-state established,originator
event “hello”
payload /.*hello/
}

==> foo.zeek <==
@load-sigs ./foo.sig
event zeek_init()
{
local f = Log::get_filter(Signatures::LOG, “default”);
f$interv = 30 secs;
Log::add_filter(Signatures::LOG, f);
}

and just running zeek foo.zeek and after making 2 connections a minute apart ended up with 2 rotated log files.

Thank you for your response.
I did the test with your configuration and it works fine.
So I need to check my configuration carefully.

Thank you for your time

W dniu 15.01.2020 o 20:18, Justin Azoff pisze:

How exactly are you reproducing that?

I tried this:

==> foo.sig <==
signature foo {
ip-proto == tcp
tcp-state established,originator
event "hello"
payload /.*hello/
}

==> foo.zeek <==
@load-sigs ./foo.sig
event zeek_init()
{
local f = Log::get_filter(Signatures::LOG, "default");
f$interv = 30 secs;
Log::add_filter(Signatures::LOG, f);
}

and just running zeek foo.zeek and after making 2 connections a minute apart ended up with 2 rotated log files.

    hello members,

    Please, can you help me

    I have problem with log rotation for signature LOG (only)

    when I use scripts ,

    event zeek_init()
     {
     local f = Log::get_filter(Signatures::LOG, &quot;default&quot;);
     f$interv = 1 min;
     Log::add_filter(Signatures::LOG, f);
     }

    after run I have error.

    expression error in
    /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
    579: no such index (Log::all_streams[Log::id])
    fatal error: errors occurred while initializing

    The problem occurs in versions 3.0.1; 3.1.0-dev.376

    Thank you , hello Zeek Team,
    Please, can you help me

    I have problem with log rotation for signature LOG (only)
    when I use scripts ,
    event zeek_init()
     {
     local f = Log::get_filter(Signatures::LOG, "default");
     f$interv = 1 min;
     Log::add_filter(Signatures::LOG, f);
     }
     after run zeek a see error.
    expression error in
    /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
    579: no such index (Log::all_streams[Log::id])
    fatal error: errors occurred while initializing

    The problem occurs in versions 3.0.1; 3.1.0-dev.376

    Thank you, for any help.

    Adam

    - - - - - - - - - - - - - - - - - - - -

    H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S
    L z a p o l o w e - k l a t k a . p l
    _______________________________________________
    Zeek mailing list
    zeek@zeek.org <mailto:zeek@zeek.org>
    http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

--
Justin

- - - - - - - - - - - - - - - - - - - -

H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l

hello,

I did some tests and something is wrong.
please see the sample configuration

==> notice.zeek <==

event zeek_init()
{
local f = Log::get_filter(Notice::LOG, "default");
f$interv = 1 min;
Log::add_filter(Notice::LOG, f);
}

==> dhcp.zeek <==

event zeek_init()
{
local f = Log::get_filter(DHCP::LOG, "default");
f$interv = 1 min;
Log::add_filter(DHCP::LOG, f);
}

==> foo.sig <==
signature foo {
ip-proto == tcp
tcp-state established,originator
event "hello"
payload /.*hello/
}

==> foo.zeek <==
@load-sigs ./foo.sig
event zeek_init()
{
local f = Log::get_filter(Signatures::LOG, "default");
f$interv = 30 secs;
Log::add_filter(Signatures::LOG, f);
}

==> start.zeek <==

@load ./notice.zeek
@load ./dhcp.zeek
@load ./foo.zeek

/usr/local/zeek/bin/zeek -r /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap ./start.zeek

expression error in /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line 579: no such index (Log::all_streams[Log::id])
fatal error: errors occurred while initializing

when I make changes

#@load ./notice.zeek
@load ./dhcp.zeek
@load ./foo.zeek

or

@load ./notice.zeek
#@load ./dhcp.zeek
@load ./foo.zeek

or

@load ./notice.zeek
@load ./dhcp.zeek
#@load ./foo.zeek

no error occurs after running

Adam

W dniu 15.01.2020 o 23:30, os pisze:

Thank you for your response.
I did the test with your configuration and it works fine.
So I need to check my configuration carefully.

Thank you for your time

W dniu 15.01.2020 o 20:18, Justin Azoff pisze:

How exactly are you reproducing that?

I tried this:

==> foo.sig <==
signature foo {
ip-proto == tcp
tcp-state established,originator
event "hello"
payload /.*hello/
}

==> foo.zeek <==
@load-sigs ./foo.sig
event zeek_init()
{
local f = Log::get_filter(Signatures::LOG, "default");
f$interv = 30 secs;
Log::add_filter(Signatures::LOG, f);
}

and just running zeek foo.zeek and after making 2 connections a minute
apart ended up with 2 rotated log files.

     hello members,

     Please, can you help me

     I have problem with log rotation for signature LOG (only)

     when I use scripts ,

     event zeek_init()
      {
      local f = Log::get_filter(Signatures::LOG, &quot;default&quot;);
      f$interv = 1 min;
      Log::add_filter(Signatures::LOG, f);
      }

     after run I have error.

     expression error in
     /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
     579: no such index (Log::all_streams[Log::id])
     fatal error: errors occurred while initializing

     The problem occurs in versions 3.0.1; 3.1.0-dev.376

     Thank you , hello Zeek Team,
     Please, can you help me

     I have problem with log rotation for signature LOG (only)
     when I use scripts ,
     event zeek_init()
      {
      local f = Log::get_filter(Signatures::LOG, "default");
      f$interv = 1 min;
      Log::add_filter(Signatures::LOG, f);
      }
      after run zeek a see error.
     expression error in
     /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
     579: no such index (Log::all_streams[Log::id])
     fatal error: errors occurred while initializing

     The problem occurs in versions 3.0.1; 3.1.0-dev.376

     Thank you, for any help.

     Adam

     - - - - - - - - - - - - - - - - - - - -

     H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S
     L z a p o l o w e - k l a t k a . p l
     _______________________________________________
     Zeek mailing list
     zeek@zeek.org <mailto:zeek@zeek.org>
     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

--
Justin

- - - - - - - - - - - - - - - - - - - -

H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l
_______________________________________________
Zeek mailing list
zeek@zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

- - - - - - - - - - - - - - - - - - - -

H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l

That still works for me. The error you are getting is from add_filter failing to find a log stream with that ID, but Log::create_stream is what creates that. I can make it fail like that if I mess with the priorities, like

event zeek_init() &priority=100
{
local f = Log::get_filter(DHCP::LOG, “default”);
f$interv = 1 min;
Log::add_filter(DHCP::LOG, f);
}

which makes that run before the

event zeek_init() &priority=5
{
Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path=“dhcp”]);
Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
}

in the dhcp script.

but with the default priorities I can’t see why that would fail.

very strange, becouse I didn't change priorities anywhere

W dniu 17.01.2020 o 15:27, Justin Azoff pisze:

That still works for me. The error you are getting is from add_filter failing to find a log stream with that ID, but Log::create_stream is what creates that. I can make it fail like that if I mess with the priorities, like

event zeek_init() &priority=100
{
local f = Log::get_filter(DHCP::LOG, "default");
f$interv = 1 min;
Log::add_filter(DHCP::LOG, f);
}

which makes that run before the

event zeek_init() &priority=5
{
Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp"]);
Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
}

in the dhcp script.

but with the default priorities I can't see why that would fail.

    hello,

    I did some tests and something is wrong.
    please see the sample configuration

    ==> notice.zeek <==

    event zeek_init()
     {
     local f = Log::get_filter(Notice::LOG, "default");
     f$interv = 1 min;
     Log::add_filter(Notice::LOG, f);
     }

    ==> dhcp.zeek <==

    event zeek_init()
     {
     local f = Log::get_filter(DHCP::LOG, "default");
     f$interv = 1 min;
     Log::add_filter(DHCP::LOG, f);
     }

    ==> foo.sig <==
    signature foo {
     ip-proto == tcp
     tcp-state established,originator
     event "hello"
     payload /.*hello/
    }

    ==> foo.zeek <==
    @load-sigs ./foo.sig
    event zeek_init()
     {
     local f = Log::get_filter(Signatures::LOG, "default");
     f$interv = 30 secs;
     Log::add_filter(Signatures::LOG, f);
     }

    ==> start.zeek <==

    @load ./notice.zeek
    @load ./dhcp.zeek
    @load ./foo.zeek

    /usr/local/zeek/bin/zeek -r
    /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap ./start.zeek

    expression error in
    /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
    579: no such index (Log::all_streams[Log::id])
    fatal error: errors occurred while initializing

    when I make changes

    #@load ./notice.zeek
    @load ./dhcp.zeek
    @load ./foo.zeek

    or

    @load ./notice.zeek
    #@load ./dhcp.zeek
    @load ./foo.zeek

    or

    @load ./notice.zeek
    @load ./dhcp.zeek
    #@load ./foo.zeek

    no error occurs after running

    Adam

    W dniu 15.01.2020 o 23:30, os pisze:
    > Thank you for your response.
    > I did the test with your configuration and it works fine.
    > So I need to check my configuration carefully.
    >
    > Thank you for your time
    >
    > W dniu 15.01.2020 o 20:18, Justin Azoff pisze:
    >> How exactly are you reproducing that?
    >>
    >> I tried this:
    >>
    >> ==> foo.sig <==
    >> signature foo {
    >> ip-proto == tcp
    >> tcp-state established,originator
    >> event "hello"
    >> payload /.*hello/
    >> }
    >>
    >> ==> foo.zeek <==
    >> @load-sigs ./foo.sig
    >> event zeek_init()
    >> {
    >> local f = Log::get_filter(Signatures::LOG, "default");
    >> f$interv = 30 secs;
    >> Log::add_filter(Signatures::LOG, f);
    >> }
    >>
    >> and just running zeek foo.zeek and after making 2 connections a
    minute
    >> apart ended up with 2 rotated log files.
    >>
    >> hello members,
    >>
    >> Please, can you help me
    >>
    >> I have problem with log rotation for signature LOG (only)
    >>
    >> when I use scripts ,
    >>
    >> event zeek_init()
    >> {
    >> local f = Log::get_filter(Signatures::LOG,
    &quot;default&quot;);
    >> f$interv = 1 min;
    >> Log::add_filter(Signatures::LOG, f);
    >> }
    >>
    >> after run I have error.
    >>
    >> expression error in
    >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
    line
    >> 579: no such index (Log::all_streams[Log::id])
    >> fatal error: errors occurred while initializing
    >>
    >> The problem occurs in versions 3.0.1; 3.1.0-dev.376
    >>
    >> Thank you , hello Zeek Team,
    >> Please, can you help me
    >>
    >> I have problem with log rotation for signature LOG (only)
    >> when I use scripts ,
    >> event zeek_init()
    >> {
    >> local f = Log::get_filter(Signatures::LOG, "default");
    >> f$interv = 1 min;
    >> Log::add_filter(Signatures::LOG, f);
    >> }
    >> after run zeek a see error.
    >> expression error in
    >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
    line
    >> 579: no such index (Log::all_streams[Log::id])
    >> fatal error: errors occurred while initializing
    >>
    >> The problem occurs in versions 3.0.1; 3.1.0-dev.376
    >>
    >> Thank you, for any help.
    >>
    >> Adam
    >>
    >> - - - - - - - - - - - - - - - - - - - -
    >>
    >> H o s t i n g z d a r m o w y m c e r t y f i k a t
    e m S S
    >> L z a p o l o w e - k l a t k a . p l
    >> _______________________________________________
    >> Zeek mailing list
    >> zeek@zeek.org <mailto:zeek@zeek.org> <mailto:zeek@zeek.org
    <mailto:zeek@zeek.org>>
    >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
    >>
    >> --
    >> Justin
    >
    > - - - - - - - - - - - - - - - - - - - -
    >
    > H o s t i n g z d a r m o w y m c e r t y f i k a t e m
     S S L z a p o l o w e - k l a t k a . p l
    > _______________________________________________
    > Zeek mailing list
    > zeek@zeek.org <mailto:zeek@zeek.org>
    > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

    - - - - - - - - - - - - - - - - - - - -

    H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S
    L z a p o l o w e - k l a t k a . p l

--
Justin

- - - - - - - - - - - - - - - - - - - -

H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l

hello,

I changed the priority in the file and it looks like it works

/usr/local/zeek/share/zeek/base/frameworks/signatures/main.zeek

event zeek_init() &priority=5

{

Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures"]);

}

Thank you for your help and time

W dniu 17.01.2020 o 16:47, os pisze:

very strange, becouse I didn't change priorities anywhere

W dniu 17.01.2020 o 15:27, Justin Azoff pisze:

That still works for me. The error you are getting is from add_filter
failing to find a log stream with that ID, but Log::create_stream is
what creates that. I can make it fail like that if I mess with the
priorities, like

event zeek_init() &priority=100
{
local f = Log::get_filter(DHCP::LOG, "default");
f$interv = 1 min;
Log::add_filter(DHCP::LOG, f);
}

which makes that run before the

event zeek_init() &priority=5
{
Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp,
$path="dhcp"]);
Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
}

in the dhcp script.

but with the default priorities I can't see why that would fail.

     hello,

     I did some tests and something is wrong.
     please see the sample configuration

     ==> notice.zeek <==

     event zeek_init()
      {
      local f = Log::get_filter(Notice::LOG, "default");
      f$interv = 1 min;
      Log::add_filter(Notice::LOG, f);
      }

     ==> dhcp.zeek <==

     event zeek_init()
      {
      local f = Log::get_filter(DHCP::LOG, "default");
      f$interv = 1 min;
      Log::add_filter(DHCP::LOG, f);
      }

     ==> foo.sig <==
     signature foo {
      ip-proto == tcp
      tcp-state established,originator
      event "hello"
      payload /.*hello/
     }

     ==> foo.zeek <==
     @load-sigs ./foo.sig
     event zeek_init()
      {
      local f = Log::get_filter(Signatures::LOG, "default");
      f$interv = 30 secs;
      Log::add_filter(Signatures::LOG, f);
      }

     ==> start.zeek <==

     @load ./notice.zeek
     @load ./dhcp.zeek
     @load ./foo.zeek

     /usr/local/zeek/bin/zeek -r
     /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap ./start.zeek

     expression error in
     /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line
     579: no such index (Log::all_streams[Log::id])
     fatal error: errors occurred while initializing

     when I make changes

     #@load ./notice.zeek
     @load ./dhcp.zeek
     @load ./foo.zeek

     or

     @load ./notice.zeek
     #@load ./dhcp.zeek
     @load ./foo.zeek

     or

     @load ./notice.zeek
     @load ./dhcp.zeek
     #@load ./foo.zeek

     no error occurs after running

     Adam

     W dniu 15.01.2020 o 23:30, os pisze:
     > Thank you for your response.
     > I did the test with your configuration and it works fine.
     > So I need to check my configuration carefully.
     >
     > Thank you for your time
     >
     > W dniu 15.01.2020 o 20:18, Justin Azoff pisze:
     >> How exactly are you reproducing that?
     >>
     >> I tried this:
     >>
     >> ==> foo.sig <==
     >> signature foo {
     >> ip-proto == tcp
     >> tcp-state established,originator
     >> event "hello"
     >> payload /.*hello/
     >> }
     >>
     >> ==> foo.zeek <==
     >> @load-sigs ./foo.sig
     >> event zeek_init()
     >> {
     >> local f = Log::get_filter(Signatures::LOG, "default");
     >> f$interv = 30 secs;
     >> Log::add_filter(Signatures::LOG, f);
     >> }
     >>
     >> and just running zeek foo.zeek and after making 2 connections a
     minute
     >> apart ended up with 2 rotated log files.
     >>
     >> hello members,
     >>
     >> Please, can you help me
     >>
     >> I have problem with log rotation for signature LOG (only)
     >>
     >> when I use scripts ,
     >>
     >> event zeek_init()
     >> {
     >> local f = Log::get_filter(Signatures::LOG,
     &quot;default&quot;);
     >> f$interv = 1 min;
     >> Log::add_filter(Signatures::LOG, f);
     >> }
     >>
     >> after run I have error.
     >>
     >> expression error in
     >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
     line
     >> 579: no such index (Log::all_streams[Log::id])
     >> fatal error: errors occurred while initializing
     >>
     >> The problem occurs in versions 3.0.1; 3.1.0-dev.376
     >>
     >> Thank you , hello Zeek Team,
     >> Please, can you help me
     >>
     >> I have problem with log rotation for signature LOG (only)
     >> when I use scripts ,
     >> event zeek_init()
     >> {
     >> local f = Log::get_filter(Signatures::LOG, "default");
     >> f$interv = 1 min;
     >> Log::add_filter(Signatures::LOG, f);
     >> }
     >> after run zeek a see error.
     >> expression error in
     >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
     line
     >> 579: no such index (Log::all_streams[Log::id])
     >> fatal error: errors occurred while initializing
     >>
     >> The problem occurs in versions 3.0.1; 3.1.0-dev.376
     >>
     >> Thank you, for any help.
     >>
     >> Adam
     >>
     >> - - - - - - - - - - - - - - - - - - - -
     >>
     >> H o s t i n g z d a r m o w y m c e r t y f i k a t
     e m S S
     >> L z a p o l o w e - k l a t k a . p l
     >> _______________________________________________
     >> Zeek mailing list
     >> zeek@zeek.org <mailto:zeek@zeek.org> <mailto:zeek@zeek.org
     <mailto:zeek@zeek.org>>
     >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
     >>
     >> --
     >> Justin
     >
     > - - - - - - - - - - - - - - - - - - - -
     >
     > H o s t i n g z d a r m o w y m c e r t y f i k a t e m
      S S L z a p o l o w e - k l a t k a . p l
     > _______________________________________________
     > Zeek mailing list
     > zeek@zeek.org <mailto:zeek@zeek.org>
     > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

     - - - - - - - - - - - - - - - - - - - -

     H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S
     L z a p o l o w e - k l a t k a . p l

--
Justin

- - - - - - - - - - - - - - - - - - - -

H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l
_______________________________________________
Zeek mailing list
zeek@zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

- - - - - - - - - - - - - - - - - - - -

H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l

Ah, you should change yours to -5, don’t modify the shipped scripts.

I think that change is correct though and that this is a bug in the signatures script.

running this, I can see that almost every script sets a priority of 5 for the zeek_init event:

fgrep -r Log::create_str scripts/ -B 2|grep ‘event zeek_init’

there are only 3 that don’t:

scripts//base/frameworks/signatures/main.zeek-event zeek_init()
scripts//policy/files/x509/log-ocsp.zeek-event zeek_init()
scripts//policy/protocols/conn/known-hosts.zeek-event zeek_init()

which explains why you were having this problem… without a priority the default is 0, and the two events will run in an undefined order… for me they were running in the order that worked, for you they were running in the other order and you were hitting the bug.

hello,

Another problem with the log file format - default settings
ntp-20-01-24_10.22.34.log
notice.2020-01-24-10-23-00.log

Thank you for your help and time

W dniu 17.01.2020 o 20:59, Justin Azoff pisze:

Ah, you should change yours to -5, don't modify the shipped scripts.

I think that change is correct though and that this is a bug in the signatures script.

running this, I can see that almost every script sets a priority of 5 for the zeek_init event:

fgrep \-r  Log::create\_str scripts/  \-B 2|grep 'event zeek\_init'

there are only 3 that don't:

scripts//base/frameworks/signatures/main.zeek-event zeek_init()
scripts//policy/files/x509/log-ocsp.zeek-event zeek_init()
scripts//policy/protocols/conn/known-hosts.zeek-event zeek_init()

which explains why you were having this problem.. without a priority the default is 0, and the two events will run in an undefined order.. for me they were running in the order that worked, for you they were running in the other order and you were hitting the bug.

    hello,

    I changed the priority in the file and it looks like it works

    /usr/local/zeek/share/zeek/base/frameworks/signatures/main.zeek

    event zeek_init() &priority=5

    {

    Log::create_stream(Signatures::LOG, [$columns=Info,
    $ev=log_signature,
    $path="signatures"]);

    }

    Thank you for your help and time

    W dniu 17.01.2020 o 16:47, os pisze:
    > very strange, becouse I didn't change priorities anywhere
    >
    > W dniu 17.01.2020 o 15:27, Justin Azoff pisze:
    >> That still works for me. The error you are getting is from
    add_filter
    >> failing to find a log stream with that ID,
    but Log::create_stream is
    >> what creates that. I can make it fail like that if I mess with the
    >> priorities, like
    >>
    >> event zeek_init() &priority=100
    >> {
    >> local f = Log::get_filter(DHCP::LOG, "default");
    >> f$interv = 1 min;
    >> Log::add_filter(DHCP::LOG, f);
    >> }
    >>
    >> which makes that run before the
    >>
    >> event zeek_init() &priority=5
    >> {
    >> Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp,
    >> $path="dhcp"]);
    >> Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
    >> }
    >>
    >> in the dhcp script.
    >>
    >> but with the default priorities I can't see why that would fail.
    >>
    >> hello,
    >>
    >> I did some tests and something is wrong.
    >> please see the sample configuration
    >>
    >> ==> notice.zeek <==
    >>
    >> event zeek_init()
    >> {
    >> local f = Log::get_filter(Notice::LOG, "default");
    >> f$interv = 1 min;
    >> Log::add_filter(Notice::LOG, f);
    >> }
    >>
    >> ==> dhcp.zeek <==
    >>
    >> event zeek_init()
    >> {
    >> local f = Log::get_filter(DHCP::LOG, "default");
    >> f$interv = 1 min;
    >> Log::add_filter(DHCP::LOG, f);
    >> }
    >>
    >> ==> foo.sig <==
    >> signature foo {
    >> ip-proto == tcp
    >> tcp-state established,originator
    >> event "hello"
    >> payload /.*hello/
    >> }
    >>
    >> ==> foo.zeek <==
    >> @load-sigs ./foo.sig
    >> event zeek_init()
    >> {
    >> local f = Log::get_filter(Signatures::LOG, "default");
    >> f$interv = 30 secs;
    >> Log::add_filter(Signatures::LOG, f);
    >> }
    >>
    >> ==> start.zeek <==
    >>
    >> @load ./notice.zeek
    >> @load ./dhcp.zeek
    >> @load ./foo.zeek
    >>
    >> /usr/local/zeek/bin/zeek -r
    >> /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap ./start.zeek
    >>
    >> expression error in
    >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
    line
    >> 579: no such index (Log::all_streams[Log::id])
    >> fatal error: errors occurred while initializing
    >>
    >> when I make changes
    >>
    >> #@load ./notice.zeek
    >> @load ./dhcp.zeek
    >> @load ./foo.zeek
    >>
    >> or
    >>
    >> @load ./notice.zeek
    >> #@load ./dhcp.zeek
    >> @load ./foo.zeek
    >>
    >> or
    >>
    >> @load ./notice.zeek
    >> @load ./dhcp.zeek
    >> #@load ./foo.zeek
    >>
    >> no error occurs after running
    >>
    >> Adam
    >>
    >> W dniu 15.01.2020 o 23:30, os pisze:
    >> > Thank you for your response.
    >> > I did the test with your configuration and it works fine.
    >> > So I need to check my configuration carefully.
    >> >
    >> > Thank you for your time
    >> >
    >> > W dniu 15.01.2020 o 20:18, Justin Azoff pisze:
    >> >> How exactly are you reproducing that?
    >> >>
    >> >> I tried this:
    >> >>
    >> >> ==> foo.sig <==
    >> >> signature foo {
    >> >> ip-proto == tcp
    >> >> tcp-state established,originator
    >> >> event "hello"
    >> >> payload /.*hello/
    >> >> }
    >> >>
    >> >> ==> foo.zeek <==
    >> >> @load-sigs ./foo.sig
    >> >> event zeek_init()
    >> >> {
    >> >> local f = Log::get_filter(Signatures::LOG,
    "default");
    >> >> f$interv = 30 secs;
    >> >> Log::add_filter(Signatures::LOG, f);
    >> >> }
    >> >>
    >> >> and just running zeek foo.zeek and after making 2
    connections a
    >> minute
    >> >> apart ended up with 2 rotated log files.
    >> >>
    >> >> On Wed, Jan 15, 2020 at 1:18 PM os <adamp@os.pl
    <mailto:adamp@os.pl>
    >> <mailto:adamp@os.pl>
    <mailto:adamp@os.pl <mailto:adamp@os.pl
    <mailto:adamp@os.pl>>>>
    >> >> wrote:
    >> >>
    >> >> hello members,
    >> >>
    >> >> Please, can you help me
    >> >>
    >> >> I have problem with log rotation for signature LOG
    (only)
    >> >>
    >> >> when I use scripts ,
    >> >>
    >> >> event zeek_init()
    >> >> {
    >> >> local f = Log::get_filter(Signatures::LOG,
    >> &quot;default&quot;);
    >> >> f$interv = 1 min;
    >> >> Log::add_filter(Signatures::LOG, f);
    >> >> }
    >> >>
    >> >> after run I have error.
    >> >>
    >> >> expression error in
    >> >>
    /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
    >> line
    >> >> 579: no such index (Log::all_streams[Log::id])
    >> >> fatal error: errors occurred while initializing
    >> >>
    >> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376
    >> >>
    >> >> Thank you , hello Zeek Team,
    >> >> Please, can you help me
    >> >>
    >> >> I have problem with log rotation for signature LOG
    (only)
    >> >> when I use scripts ,
    >> >> event zeek_init()
    >> >> {
    >> >> local f = Log::get_filter(Signatures::LOG,
    "default");
    >> >> f$interv = 1 min;
    >> >> Log::add_filter(Signatures::LOG, f);
    >> >> }
    >> >> after run zeek a see error.
    >> >> expression error in
    >> >>
    /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
    >> line
    >> >> 579: no such index (Log::all_streams[Log::id])
    >> >> fatal error: errors occurred while initializing
    >> >>
    >> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376
    >> >>
    >> >> Thank you, for any help.
    >> >>
    >> >> Adam
    >> >>
    >> >> - - - - - - - - - - - - - - - - - - - -
    >> >>
    >> >> H o s t i n g z d a r m o w y m c e r t y f
    i k a t
    >> e m S S
    >> >> L z a p o l o w e - k l a t k a . p l
    >> >> _______________________________________________
    >> >> Zeek mailing list
    >> >> zeek@zeek.org <mailto:zeek@zeek.org>
    <mailto:zeek@zeek.org>
    <mailto:zeek@zeek.org
    >> <mailto:zeek@zeek.org>>
    >> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
    >> >>
    >> >> --
    >> >> Justin
    >> >
    >> > - - - - - - - - - - - - - - - - - - - -
    >> >
    >> > H o s t i n g z d a r m o w y m c e r t y f i k a
    t e m
    >> S S L z a p o l o w e - k l a t k a . p l
    >> > _______________________________________________
    >> > Zeek mailing list
    >> > zeek@zeek.org <mailto:zeek@zeek.org>
    <mailto:zeek@zeek.org>
    >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
    >>
    >> - - - - - - - - - - - - - - - - - - - -
    >>
    >> H o s t i n g z d a r m o w y m c e r t y f i k a t
    e m S S
    >> L z a p o l o w e - k l a t k a . p l
    >>
    >> --
    >> Justin
    >
    > - - - - - - - - - - - - - - - - - - - -
    >
    > H o s t i n g z d a r m o w y m c e r t y f i k a t e m
     S S L z a p o l o w e - k l a t k a . p l
    > _______________________________________________
    > Zeek mailing list
    > zeek@zeek.org <mailto:zeek@zeek.org>
    > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

    - - - - - - - - - - - - - - - - - - - -

    H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S
    L z a p o l o w e - k l a t k a . p l

--
Justin

- - - - - - - - - - - - - - - - - - - -

H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l

I'm a bit confused and I don't understand why this is happening.
I changed :default_rotation_date_format

redef Log::default_rotation_date_format="%y-%m-%d_%H.%M.%S";

and the output log file have diffrent format, which in turn generates an error

signatures.20-01-24_10.23.00.log

notice-20-01-24_10.22.34.log

/bin/mv: cannot stat 'signatures-20-01-24_10.23.00.log': No such file or director

disable
#redef Log::default_rotation_date_format="%y-%m-%d_%H.%M.%S";

default settings

Log::default_rotation_date_format

Type: string
Attributes: &redef
Default: "%Y-%m-%d-%H-%M-%S"

output file:

dns-20-01-24_10.22.44.log
ntp-20-01-24_10.22.34.log
signatures.2020-01-24-10-23-00.log
notice-20-01-24_10.22.34.log
ntp-20-01-24_10.23.00.log
weird-20-01-24_10.22.34.log

and error

/bin/mv: cannot stat 'signatures-20-01-24_10.23.00.log': No such file or directory

what does the output file format depend on once is "-" and once is "."

Thank you for answers.

Adam

W dniu 24.01.2020 o 11:12, os pisze:

hello,

Another problem with the log file format - default settings
ntp-20-01-24_10.22.34.log
notice.2020-01-24-10-23-00.log

Thank you for your help and time

W dniu 17.01.2020 o 20:59, Justin Azoff pisze:

Ah, you should change yours to -5, don't modify the shipped scripts.

I think that change is correct though and that this is a bug in the
signatures script.

running this, I can see that almost every script sets a priority of 5
for the zeek_init event:

 fgrep \-r  Log::create\_str scripts/  \-B 2|grep 'event zeek\_init'

there are only 3 that don't:

scripts//base/frameworks/signatures/main.zeek-event zeek_init()
scripts//policy/files/x509/log-ocsp.zeek-event zeek_init()
scripts//policy/protocols/conn/known-hosts.zeek-event zeek_init()

which explains why you were having this problem.. without a priority
the default is 0, and the two events will run in an undefined order..
for me they were running in the order that worked, for you they were
running in the other order and you were hitting the bug.

     hello,

     I changed the priority in the file and it looks like it works

     /usr/local/zeek/share/zeek/base/frameworks/signatures/main.zeek

     event zeek_init() &priority=5

     {

     Log::create_stream(Signatures::LOG, [$columns=Info,
     $ev=log_signature,
     $path="signatures"]);

     }

     Thank you for your help and time

     W dniu 17.01.2020 o 16:47, os pisze:
     > very strange, becouse I didn't change priorities anywhere
     >
     > W dniu 17.01.2020 o 15:27, Justin Azoff pisze:
     >> That still works for me. The error you are getting is from
     add_filter
     >> failing to find a log stream with that ID,
     but Log::create_stream is
     >> what creates that. I can make it fail like that if I mess with the
     >> priorities, like
     >>
     >> event zeek_init() &priority=100
     >> {
     >> local f = Log::get_filter(DHCP::LOG, "default");
     >> f$interv = 1 min;
     >> Log::add_filter(DHCP::LOG, f);
     >> }
     >>
     >> which makes that run before the
     >>
     >> event zeek_init() &priority=5
     >> {
     >> Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp,
     >> $path="dhcp"]);
     >> Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
     >> }
     >>
     >> in the dhcp script.
     >>
     >> but with the default priorities I can't see why that would fail.
     >>
     >> hello,
     >>
     >> I did some tests and something is wrong.
     >> please see the sample configuration
     >>
     >> ==> notice.zeek <==
     >>
     >> event zeek_init()
     >> {
     >> local f = Log::get_filter(Notice::LOG, "default");
     >> f$interv = 1 min;
     >> Log::add_filter(Notice::LOG, f);
     >> }
     >>
     >> ==> dhcp.zeek <==
     >>
     >> event zeek_init()
     >> {
     >> local f = Log::get_filter(DHCP::LOG, "default");
     >> f$interv = 1 min;
     >> Log::add_filter(DHCP::LOG, f);
     >> }
     >>
     >> ==> foo.sig <==
     >> signature foo {
     >> ip-proto == tcp
     >> tcp-state established,originator
     >> event "hello"
     >> payload /.*hello/
     >> }
     >>
     >> ==> foo.zeek <==
     >> @load-sigs ./foo.sig
     >> event zeek_init()
     >> {
     >> local f = Log::get_filter(Signatures::LOG, "default");
     >> f$interv = 30 secs;
     >> Log::add_filter(Signatures::LOG, f);
     >> }
     >>
     >> ==> start.zeek <==
     >>
     >> @load ./notice.zeek
     >> @load ./dhcp.zeek
     >> @load ./foo.zeek
     >>
     >> /usr/local/zeek/bin/zeek -r
     >> /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap ./start.zeek
     >>
     >> expression error in
     >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
     line
     >> 579: no such index (Log::all_streams[Log::id])
     >> fatal error: errors occurred while initializing
     >>
     >> when I make changes
     >>
     >> #@load ./notice.zeek
     >> @load ./dhcp.zeek
     >> @load ./foo.zeek
     >>
     >> or
     >>
     >> @load ./notice.zeek
     >> #@load ./dhcp.zeek
     >> @load ./foo.zeek
     >>
     >> or
     >>
     >> @load ./notice.zeek
     >> @load ./dhcp.zeek
     >> #@load ./foo.zeek
     >>
     >> no error occurs after running
     >>
     >> Adam
     >>
     >> W dniu 15.01.2020 o 23:30, os pisze:
     >> > Thank you for your response.
     >> > I did the test with your configuration and it works fine.
     >> > So I need to check my configuration carefully.
     >> >
     >> > Thank you for your time
     >> >
     >> > W dniu 15.01.2020 o 20:18, Justin Azoff pisze:
     >> >> How exactly are you reproducing that?
     >> >>
     >> >> I tried this:
     >> >>
     >> >> ==> foo.sig <==
     >> >> signature foo {
     >> >> ip-proto == tcp
     >> >> tcp-state established,originator
     >> >> event "hello"
     >> >> payload /.*hello/
     >> >> }
     >> >>
     >> >> ==> foo.zeek <==
     >> >> @load-sigs ./foo.sig
     >> >> event zeek_init()
     >> >> {
     >> >> local f = Log::get_filter(Signatures::LOG,
     "default");
     >> >> f$interv = 30 secs;
     >> >> Log::add_filter(Signatures::LOG, f);
     >> >> }
     >> >>
     >> >> and just running zeek foo.zeek and after making 2
     connections a
     >> minute
     >> >> apart ended up with 2 rotated log files.
     >> >>
     >> >> On Wed, Jan 15, 2020 at 1:18 PM os <adamp@os.pl
     <mailto:adamp@os.pl>
     >> <mailto:adamp@os.pl>
     <mailto:adamp@os.pl <mailto:adamp@os.pl
     <mailto:adamp@os.pl>>>>
     >> >> wrote:
     >> >>
     >> >> hello members,
     >> >>
     >> >> Please, can you help me
     >> >>
     >> >> I have problem with log rotation for signature LOG
     (only)
     >> >>
     >> >> when I use scripts ,
     >> >>
     >> >> event zeek_init()
     >> >> {
     >> >> local f = Log::get_filter(Signatures::LOG,
     >> &quot;default&quot;);
     >> >> f$interv = 1 min;
     >> >> Log::add_filter(Signatures::LOG, f);
     >> >> }
     >> >>
     >> >> after run I have error.
     >> >>
     >> >> expression error in
     >> >>
     /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
     >> line
     >> >> 579: no such index (Log::all_streams[Log::id])
     >> >> fatal error: errors occurred while initializing
     >> >>
     >> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376
     >> >>
     >> >> Thank you , hello Zeek Team,
     >> >> Please, can you help me
     >> >>
     >> >> I have problem with log rotation for signature LOG
     (only)
     >> >> when I use scripts ,
     >> >> event zeek_init()
     >> >> {
     >> >> local f = Log::get_filter(Signatures::LOG,
     "default");
     >> >> f$interv = 1 min;
     >> >> Log::add_filter(Signatures::LOG, f);
     >> >> }
     >> >> after run zeek a see error.
     >> >> expression error in
     >> >>
     /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
     >> line
     >> >> 579: no such index (Log::all_streams[Log::id])
     >> >> fatal error: errors occurred while initializing
     >> >>
     >> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376
     >> >>
     >> >> Thank you, for any help.
     >> >>
     >> >> Adam
     >> >>
     >> >> - - - - - - - - - - - - - - - - - - - -
     >> >>
     >> >> H o s t i n g z d a r m o w y m c e r t y f
     i k a t
     >> e m S S
     >> >> L z a p o l o w e - k l a t k a . p l
     >> >> _______________________________________________
     >> >> Zeek mailing list
     >> >> zeek@zeek.org <mailto:zeek@zeek.org>
     <mailto:zeek@zeek.org>
     <mailto:zeek@zeek.org
     >> <mailto:zeek@zeek.org>>
     >> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
     >> >>
     >> >> --
     >> >> Justin
     >> >
     >> > - - - - - - - - - - - - - - - - - - - -
     >> >
     >> > H o s t i n g z d a r m o w y m c e r t y f i k a
     t e m
     >> S S L z a p o l o w e - k l a t k a . p l
     >> > _______________________________________________
     >> > Zeek mailing list
     >> > zeek@zeek.org <mailto:zeek@zeek.org>
     <mailto:zeek@zeek.org>
     >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
     >>
     >> - - - - - - - - - - - - - - - - - - - -
     >>
     >> H o s t i n g z d a r m o w y m c e r t y f i k a t
     e m S S
     >> L z a p o l o w e - k l a t k a . p l
     >>
     >> --
     >> Justin
     >
     > - - - - - - - - - - - - - - - - - - - -
     >
     > H o s t i n g z d a r m o w y m c e r t y f i k a t e m
      S S L z a p o l o w e - k l a t k a . p l
     > _______________________________________________
     > Zeek mailing list
     > zeek@zeek.org <mailto:zeek@zeek.org>
     > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

     - - - - - - - - - - - - - - - - - - - -

     H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S
     L z a p o l o w e - k l a t k a . p l

--
Justin

- - - - - - - - - - - - - - - - - - - -

H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l
_______________________________________________
Zeek mailing list
zeek@zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

- - - - - - - - - - - - - - - - - - - -

H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l

Just as a small followup - to close the circle on this - this was fixed in master and will be part of 3.1.0:

Johanna