Json output? about docker-zeek HOT 10 CLOSED

@jazhans do you have

redef LogAscii::use_json=T;

in your local.zeek? That's how I have it setup and is working fine for me.

from docker-zeek.

I had added the following to my local.zeek, that might be my problem

@load policy/tuning/json-logs.zeek

from docker-zeek.

That should have worked. Not sure why it didn't for you, did you load that policy at the start of your local.zeek file or the end? I think order matters within the zeek.local file.

It is doing basically the same thing
https://github.com/zeek/zeek/blob/9d07e4f0b83e23046c11d7120ef1dc3eeb77fd68/scripts/policy/tuning/json-logs.zeek

from docker-zeek.

loaded it at the end of the file and then rebooted the container with no changes in output, i've done the same thing on local installed zeek without any issues...ill try both methods and report back, should have it done by monday.

from docker-zeek.

@nighttardis did you do anything besides add those changes and restart the docker container? I'm still not chaning the output to json even with those tweaks...running on ubuntu18 server host fyi

from docker-zeek.

@jazhans something i just noticed, not sure you did some replacement to make markup happy but you have

sudo docker run -d --cap-add=NET_RAW --net=host -v <pwd>/local.zeek:/usr/local/zeek/share/zeek/site/local.zeek -v <pwd>:/pcap:rw blacktop/zeek -i ens160

are you using the literal string "<pwd>" or are you using "`pwd`" like

sudo docker run -d --cap-add=NET_RAW --net=host -v `pwd`/local.zeek:/usr/local/zeek/share/zeek/site/local.zeek -v `pwd`:/pcap:rw blacktop/zeek -i ens160

The second one would be the proper way to reference `pwd`.

Another thing to try would be to pass the entire path from your local machine you want to mount in the container, instead of using pwd.

from docker-zeek.

@nighttardis i actually just added the pwd to mask my local machine info, maybe a little overkill lol im for sure properly mounting things etc....just keeps turning out the default output, ill keep tinkering

from docker-zeek.

@jazhans no worries I understand, just wanted to make sure there wasn't a simple solution we were both missing.

So I think you're not loading the local zeek config. Try adding "local" to the end of your command.

from docker-zeek.

@nighttardis nailed it homie, that was it lol que the anakin "it's working" gif

from docker-zeek.

Fixed issue, add local to end of command to load in custom local.zeek config -- Ubuntu18 Server

sudo docker run -d --cap-add=NET_RAW --net=host -v `pwd`/local.zeek:/usr/local/zeek/share/zeek/site/local.zeek -v `pwd`:/pcap:rw blacktop/zeek -i ens160 local

from docker-zeek.