Hi,
What all kind of stats zeek provides? I can see stats.log, weird-stats.log and many other logs are supported but can’t able to enable these logs. By default my zeek is generating weird, conn and packet filter log. Please let me know the configuration!
Also is there any event API available to get per connection advance stats like standard deviation, average pkt count or size , Inter arrival time (IAT) max min mean etc.
similarly event API to get global or aggregated statistics for all connections ?
Please let me know what else we can get from zeek in terms of statistics!
Thanks
Biswa
You’ll want to @load misc/stats to get a stats.log. You can redef Stats::report_interval to get updates at intervals other than the default 5 minutes. The Stats::Info record spells out the data reported that way, see details here.
Alternatively you can collect metrics from Zeek via the telemetry framework, including scraping support for Prometheus.
Thanks a lot @Christian . I have added @load misc/stats in local.zeek. Anyway can’t able to generate stats.log. Also can’t able to redef the report_interval variable as well. It’s giving redef used but not previously defined(Stats::report_interval).
Then I tried to pass Stats::report_interval=5sec as an argument to the zeek command along with the pcap and script but it is giving unknown identifier in command-line options.
Also I tried to modify the original stats.zeek but that is also not reflecting.
It’s working fine here for example with a simple zeek -r some.pcap misc/stats. If you’re using local.zeek, note that it already includes stats logging by default so you need to do nothing.
The default stats logging interval is 5 minutes, so you’d need to wait that long to see the log if you’re running continuously.
stats::report_interval=1secs should be Stats::report_interval=1secs — case matters. But there’s no point in doing that since it’s redundant to your test.zeek file.
In the previous I forgot to write Stats::report_interval , I tried that only (case sensitive) but it’s giving unknown identifier in command-line options
Hi,
My requirement is to get per connection stats such as orig and resp pkt, bytes at an particular interval or periodically. I have found that conn stats are already there in connection structure and connection_status_update() event can generate such periodic stats. Also I will use stats.log for accessing global or aggregated counters. Is there any other efficient method to get per connection stat ?