One Article Review
| Source |  taosecurity |
|---|---|
| Identifiant | 1870770 |
| Date de publication | 2020-08-19 11:17:40 (vue: 2020-08-19 16:13:04) |
| Titre | One Weird Trick for Reviewing Zeek Logs on the Command Line! |
| Texte | Are you a network security monitoring dinosaur like me? Do you prefer to inspect your Zeek logs using the command line instead of a Web-based SIEM?If yes, try this one weird trick!I store my Zeek logs in JSON format. Sometimes I like to view the output using jq.If I need to search directories of logs for a string, like a UID, I might* use something like zgrep with the following syntax:$ zgrep "CLkXf2CMo11hD8FQ5" 2020-08-16/*2020-08-16/conn_20200816_06:00:00-07:00:00+0000.log.gz:{"_path":"conn","_system_name":"ds61","_write_ts":"2020-08-16T06:26:10.266225Z","_node":"worker-01","ts":"2020-08-16T06:26:01.485394Z","uid":"CLkXf2CMo11hD8FQ5","id.orig_h":"192.168.2.76","id.orig_p":53380,"id.resp_h":"196.216.2.24","id.resp_p":21,"proto":"tcp","service":"ftp","duration":3.780829906463623,"orig_bytes":184,"resp_bytes":451,"conn_state":"SF","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"ShAdDafF","orig_pkts":20,"orig_ip_bytes":1232,"resp_pkts":17,"resp_ip_bytes":1343,"community_id":"1:lEESxqaSVYqFZvWNb4OccTa9sTs="}2020-08-16/ftp_20200816_06:26:04-07:00:00+0000.log.gz:{"_path":"ftp","_system_name":"ds61","_write_ts":"2020-08-16T06:26:04.077276Z","_node":"worker-01","ts":"2020-08-16T06:26:03.553287Z","uid":"CLkXf2CMo11hD8FQ5","id.orig_h":"192.168.2.76","id.orig_p":53380,"id.resp_h":"196.216.2.24","id.resp_p":21,"user":"anonymous","password":"ftp@example.com","command":"EPSV","reply_code":229,"reply_msg":"Entering Extended Passive Mode (|||31746|).","data_channel.passive":true,"data_channel.orig_h":"192.168.2.76","data_channel.resp_h":"196.216.2.24","data_channel.resp_p":31746}2020-08-16/ftp_20200816_06:26:04-07:00:00+0000.log.gz:{"_path":"ftp","_system_name":"ds61","_write_ts":"2020-08-16T06:26:05.117287Z","_node":"worker-01","ts":"2020-08-16T06:26:04.597290Z","uid":"CLkXf2CMo11hD8FQ5","id.orig_h":"192.168.2.76","id.orig_p":53380,"id.resp_h":"196.216.2.24","id.resp_p":21,"user":"anonymous","password":"ftp@example.com","command":"RETR","arg":"ftp://196.216.2.24/pub/stats/afrinic/delegated-afrinic-extended-latest.md5","file_size":74,"reply_code":226,"reply_msg":"Transfer complete.","fuid":"FueF95uKPrUuDnMc4"}That is tough on the eyes. I cannot simply pipe that output to Jq however:$ zgrep "CLkXf2CMo11hD8FQ5" 2020-08-16/* | jq .parse error: Invalid numeric literal at line 1, column 28What I need to do is strip out the filename and colon before the JSON. I learned how to use sed to do this thanks to this post. $ zgrep "CLkXf2CMo11hD8FQ5" 2020-08-16/* | sed 's/.*gz://' | jq .{ "_path": "conn", "_system_name": "ds61", "_write_ts": "2020-08-16T06:26:10.266225Z", "_node": "worker-01", |
| Envoyé | Oui |
| Condensat | $ *gz:// 06:00:00 06:26:04 077276z 07:00:00+0000 117287z 1232 1343 16/* 16/*2020 16/conn 16/ftp 168 16t06:26:01 16t06:26:03 16t06:26:04 16t06:26:05 16t06:26:10 184 192 196 1:leesxqasvyqfzvwnb4occta9sts= 2003 2020 20200816 216 226 229 24/pub/stats/afrinic/delegated 266225z 28what 31746 451 485394z 53380 553287z 597290z 780829906463623 :1232 :1343 :17 :184 :20 :21 :226 :229 :31746 :451 :53380 :74 :false :true afrinic anonymous are arg based before bejtlich blogspot bytes cannot channel circumstances clkxf2cmo11hd8fq5 code colon column com command community complete conn copyright data dinosaur directories ds61 duration entering epsv error: extended eyes false file filename find following format ftp ftp://196 ftp@example fuef95ukpruudnmc4 fuid gz: help history how however:$ inspect instead invalid json latest learned like line literal local log logs maybe md5 might* missed mode monitoring msg name need network node numeric one orig other out output parse passive password path pipe pkts post prefer proto reply resp retr reviewing richard search security sed service shaddaff siem simply size something sometimes state store string strip syntax:$ system taosecurity tcp thanks too tough transfer trick true try uid use user using view web weird will worker write www your zeek zgrep |||31746| |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.