Hello!
I’m new to zeek.
I want to output full http logs. How do I configure this?
I used version 4.1.1.
thank you,
Zhang
Hi there,
Please upgrade to at least Zeek 5 (our current long-term support release line) if at all possible.
You don’t have to do anything special to obtain HTTP logs. If you’re not getting an http.log on the traffic you’re processing, check whether you’re in fact processing the traffic you think you should be seeing (a quick check with tcpdump or a look at conn.log can help), see whether your traffic has invalid checksums (for which you should see a warning — add -C at the command line if so, or set ignore_checksums=T), or that it’s HTTPS traffic.
If none of these are the case, it’d be great to see a small pcap of the non-logged traffic.
Best,
Christian
Thank you for your reply!
I have now upgraded to version 5.0.9.
Only a portion of the http logs have been captured.Some detailed parameters such as uri, method, request_ody, request_header, etc. cannot be captured.
How do I output these detailed http logs?
thank you,
Zhang
Hello @zhang, by default uri and method should be logged. Check the documentation for an example: http.log — Book of Zeek (git/master)
For request body or HTTP headers there exist external packages to include them in the http.log.
log-all-http-headers
log-add-http-post-bodies
For the latter you’ll need to use a branch from philrz for compatibility with the latest Zeek version.
If you need more field, maybe these packages provide enough information how to extend the http.log? Otherwise feel free to reach out.
Thanks,
Arne