Zeek install monitoring multiple interfaces, need interface in logs

Zeek
1

Hi,

I’ve been running bro for a few years, a simple straightforward install. I recently have a need for my bro instance to monitor two interfaces (internal network and external network)

I’ve gotten this working, it was straight forward. My issue is in most of the logs there is no tag or field indicating which interface the log entry is referring to. Some logs like weird.log do have a field called “peer”

That indicates what seems to be the interface. DNS.log, and CONN.log do not. Is there an easy way to add this field, or add a field saying which node of the cluster the log entry originated from? I hope that makes sense

Thank you,

Darrell Miller

2

Hi Darrell,

This might help – https://blog.zeek.org/2012/02/filtering-logs-with-bro.html

Thanks,
Eric

3

Thanks, I found this right after I hit “send” on my mail.

Here is what I came up with to save anyone else a little bit of time:
if there is a better way of doing it, please let me know. So far these are the logs I’ve been able to add the interface too. Communications.log did not work using the same pattern.

—====================================================================================================================

#add interface name to log filename:

event bro_init()

{

if ( reading_live_traffic() )

{

Log::remove_default_filter(HTTP::LOG);

Log::add_filter(HTTP::LOG, [$name = “http-interfaces”,

$path_func(id: Log::ID, path: string, rec: HTTP::Info) =

{

local peer = get_event_peer()$descr;

if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )

return cat(“http_”, Cluster::nodes[peer]$interface);

else

return “http”;

}

]);

Log::remove_default_filter(Conn::LOG);

Log::add_filter(Conn::LOG, [$name = “conn-interfaces”,

$path_func(id: Log::ID, path: string, rec: Conn::Info) =

{

local peer = get_event_peer()$descr;

if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )

return cat(“conn_”, Cluster::nodes[peer]$interface);

else

return “conn”;

}

]);

Log::remove_default_filter(Weird::LOG);

Log::add_filter(Weird::LOG, [$name = “weird-interfaces”,

$path_func(id: Log::ID, path: string, rec: Weird::Info) =

{

local peer = get_event_peer()$descr;

if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )

return cat(“weird_”, Cluster::nodes[peer]$interface);

else

return “weird”;

}

]);

Log::remove_default_filter(DNS::LOG);

Log::add_filter(DNS::LOG, [$name = “DNS-interfaces”,

$path_func(id: Log::ID, path: string, rec: DNS::Info) =

{

local peer = get_event_peer()$descr;

if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface )

return cat(“DNS_”, Cluster::nodes[peer]$interface);

else

return “dns”;

}

]);

} #end if

} #end event

—====================================================================================================================

In your logs folder, each logfile will be split up by the interface:
DNS_eth01.log

DNS_eth02.log
weird_eth01.log

weird_eth02.log