mirror of
https://github.com/zeek/zeek.git
synced 2025-10-09 10:08:20 +00:00
596f07e505
- New variable in logging framework Log::active_streams to indicate Log:ID enums which are currently active.
33 lines
1.1 KiB
Text
33 lines
1.1 KiB
Text
##! Load this script to enable global log output to an ElasticSearch database.
|
|
|
|
module LogElasticSearch;
|
|
|
|
export {
|
|
## An elasticsearch specific rotation interval.
|
|
const rotation_interval = 3hr &redef;
|
|
|
|
## Optionally ignore any :bro:type:`Log::ID` from being sent to
|
|
## ElasticSearch with this script.
|
|
const excluded_log_ids: set[string] = set("Communication::LOG") &redef;
|
|
|
|
## If you want to explicitly only send certain :bro:type:`Log::ID`
|
|
## streams, add them to this set. If the set remains empty, all will
|
|
## be sent. The :bro:id:`LogElasticSearch::excluded_log_ids` option will remain in
|
|
## effect as well.
|
|
const send_logs: set[string] = set() &redef;
|
|
}
|
|
|
|
event bro_init() &priority=-5
|
|
{
|
|
for ( stream_id in Log::active_streams )
|
|
{
|
|
if ( fmt("%s", stream_id) in excluded_log_ids ||
|
|
(|send_logs| > 0 && fmt("%s", stream_id) !in send_logs) )
|
|
next;
|
|
|
|
local filter: Log::Filter = [$name = "default-es",
|
|
$writer = Log::WRITER_ELASTICSEARCH,
|
|
$interv = LogElasticSearch::rotation_interval];
|
|
Log::add_filter(stream_id, filter);
|
|
}
|
|
}
|