Time Machine

Zeek
1

All,

I am working with the time machine and I getting logs (tm.log) but I am
not seeing IP data being written to the disk.

My tm.conf file looks like this:

main {

        logfile "tm.log";

        workdir "/data/tmp";

        log_interval 10;

        device "em2";

# read_tracefile "trace.pcap";

        filter "net 128.218.0.0/16";

# bro_connect_str "localhost:47757";

        console 0;

        max_index_entries 50000;

        conn_timeout 1800;

}

class "tcp" {

filter "tcp";

precedence 5;

cutoff 10k;

disk 700g;

filesize 100m;

mem 10M;

pkts_to_disk 2;

}

class "udp" {

filter "udp";

precedence 5;

cutoff 10k;

disk 500g;

mem 10m;

}

The output of the tm.log file is similar to this:

191 476 429936 4056 79191 476 1148677908.887460 0 0 0.000000

1148679239.066095 stats_indexes: 209 ip index nodes 244 port index
nodes 291 connection index nodes

1148679239.066137 stats_conns: 254 conns

1148679239.066206 stats_queries: 0 query subscriptions

1148679239.066264 stats_rusage: 0.83 s user + 1.04 s sys CPU 28028
MAXRSS

1148679249.067674 stats: 71966/0 recvd/dropd P (0.00) 71942 P 45510646
B 0.4 Mbit/s

1148679249.067806 stats_classes: class_tcp 407165 1704 44590156 65663
407165 1704 1148677908.821760 0 0 0.000000 class_udp 79281 477 433328
4088 79281 477 1148677908.887460 0 0 0.000000

1148679249.067931 stats_indexes: 213 ip index nodes 246 port index
nodes 293 connection index nodes

1148679249.067973 stats_conns: 256 conns

1148679249.068066 stats_queries: 0 query subscriptions

1148679249.068106 stats_rusage: 0.84 s user + 1.04 s sys CPU 28028
MAXRSS

1148679259.069525 stats: 72543/0 recvd/dropd P (0.00) 72519 P 45939651
B 0.3 Mbit/s

1148679259.069684 stats_classes: class_tcp 407285 1706 45015383 66203
407285 1706 1148677908.821760 0 0 0.000000 class_udp 79547 480 436720
4120 79547 480 1148677908.887460 0 0 0.000000

1148679259.069819 stats_indexes: 218 ip index nodes 251 port index
nodes 297 connection index nodes

1148679259.069861 stats_conns: 259 conns

1148679259.069946 stats_queries: 0 query subscriptions

1148679259.069986 stats_rusage: 0.86 s user + 1.04 s sys CPU 28028
MAXRSS

1148679269.071378 stats: 73177/0 recvd/dropd P (0.00) 73152 P 46424467
B 0.4 Mbit/s

1148679269.071513 stats_classes: class_tcp 407285 1706 45496807 66804
407285 1706 1148677908.821760 0 0 0.000000 class_udp 79547 480 440112
4152 79547 480 1148677908.887460 0 0 0.000000

1148679269.071652 stats_indexes: 218 ip index nodes 251 port index
nodes 297 connection index nodes

1148679269.071695 stats_conns: 259 conns

1148679269.071764 stats_queries: 0 query subscriptions

1148679269.071803 stats_rusage: 0.87 s user + 1.04 s sys CPU 28028
MAXRSS

Has any on run into this behavior before?

Marc

Marc Weisbrod

Security Engineer

University of California at San Francisco

1855 Folsom Street, Room 602

San Francisco, CA 94103

415.476.1841

mweisbrod@its.ucsf.edu