I’m new to zeek.
I want to output full http logs. How do I configure this?
I used version 4.1.1.
Please upgrade to at least Zeek 5 (our current long-term support release line) if at all possible.
You don’t have to do anything special to obtain HTTP logs. If you’re not getting an
http.log on the traffic you’re processing, check whether you’re in fact processing the traffic you think you should be seeing (a quick check with tcpdump or a look at
conn.log can help), see whether your traffic has invalid checksums (for which you should see a warning — add
-C at the command line if so, or set
ignore_checksums=T), or that it’s HTTPS traffic.
If none of these are the case, it’d be great to see a small pcap of the non-logged traffic.
Thank you for your reply！
I have now upgraded to version 5.0.9.
Only a portion of the http logs have been captured.Some detailed parameters such as uri, method, request_ody, request_header, etc. cannot be captured.
How do I output these detailed http logs?
For request body or HTTP headers there exist external packages to include them in the http.log.
For the latter you’ll need to use a branch from philrz for compatibility with the latest Zeek version.
If you need more field, maybe these packages provide enough information how to extend the http.log? Otherwise feel free to reach out.