Skip to content

Update documentation to show log filtering configuration for Zeek 5.x #61

@lawson-kc

Description

@lawson-kc

Summary of the issue

Current documentation for applying a filter to a zeek stream before it is sent to Kafka is using the "$pred" feature. This feature was depreciated in Zeek version 4.x in favor of using the "hook" feature (https://docs.zeek.org/en/master/frameworks/logging.html#filter-log-records) but was still supported, but in version 5.x a "zeekctl check" will fail with:

error in /usr/local/zeek/share/zeek/site/local.zeek, lines 150-158: orphaned field "pred" in record coercion ((coerce [$name=kafka-ssl, $writer=Log::WRITER_KAFKAWRITER, $config=table(metadata.broker.list = cikafka.my-company.com:9093), $pred=no_ssl_int, $path=DC2_Network_Monitor_Zeek_SSL_Raw] to Log::Filter))

The above referenced Zeek documentation shows how to filter using hooks with the ASCII writer, but it is unclear how to implement a hook filter specific to a Kafka topic in a local.zeek configuration file.

Your environment

  • Version of Zeek - 5.0.8
  • Version or commit hash of the zeek-kafka package - v1.1.0
  • Operating System and version - Ubuntu Server 20.04

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions