I want to extract files from the network stream.
In the local.zeek i have added a line:
redef FileExtract::prefix"/data/extract_files/"; @load customscript
I have added a CustomFileExtraction script which extract certain file types.
Zeek extract the given filetypes, but zeek keep using the folder /usr/local/zeek/spool/extract_files/[worker_id]
when i use the command zeekctl config, the fileextractdir points to /usr/local/zeek/spool/extract_files
Zeek is working fine, and the files-types are extracted like it should. I cant change the folder where the extracted files are stored. I would like to have 1 folder without the workers dir.
when i use the command zeekctl config, the fileextractdir points to /usr/local/zeek/spool/extract_files
Yeah, it’s just a base, zeekctl always append the Cluster::node value so there’s no chance of writing into another node’s files.
I’d suggest you look at writing a custom file_state_remove() handler. This handler runs after the file was extracted and one can add logic to move the file to a central directory or maybe day/time based directory structure, taking care of not accidentally overwriting existing files. If the directories are on the same filesystem, the move should be instant.
Do you want to give it a try, otherwise I’d be up for sketching a handler, too.