mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 07:38:19 +00:00
45 lines
1.3 KiB
Text
45 lines
1.3 KiB
Text
##! Load this script to enable global log output to an ElasticSearch database.
|
|
|
|
module LogElasticSearch;
|
|
|
|
export {
|
|
## An elasticsearch specific rotation interval.
|
|
const rotation_interval = 24hr &redef;
|
|
|
|
## Optionally ignore any :bro:type:`Log::ID` from being sent to
|
|
## ElasticSearch with this script.
|
|
const excluded_log_ids: set[string] = set("Communication::LOG") &redef;
|
|
|
|
## If you want to explicitly only send certain :bro:type:`Log::ID`
|
|
## streams, add them to this set. If the set remains empty, all will
|
|
## be sent. The :bro:id:`LogElasticSearch::excluded_log_ids` option will remain in
|
|
## effect as well.
|
|
const send_logs: set[string] = set() &redef;
|
|
}
|
|
|
|
module Log;
|
|
|
|
event bro_init() &priority=-5
|
|
{
|
|
local my_filters: table[ID, string] of Filter = table();
|
|
|
|
for ( [id, name] in filters )
|
|
{
|
|
local filter = filters[id, name];
|
|
if ( fmt("%s", id) in LogElasticSearch::excluded_log_ids ||
|
|
(|LogElasticSearch::send_logs| > 0 && fmt("%s", id) !in LogElasticSearch::send_logs) )
|
|
next;
|
|
|
|
filter$name = cat(name, "-es");
|
|
filter$writer = Log::WRITER_ELASTICSEARCH;
|
|
filter$interv = LogElasticSearch::rotation_interval;
|
|
my_filters[id, name] = filter;
|
|
}
|
|
|
|
# This had to be done separately to avoid an ever growing filters list
|
|
# where the for loop would never end.
|
|
for ( [id, name] in my_filters )
|
|
{
|
|
Log::add_filter(id, filter);
|
|
}
|
|
}
|