Zeek log files that have been renamed and are in the process of moving not caught correctly by Logstash #121

mmguero · 2022-10-20T14:05:14Z

Sometimes Zeek renames a file before moving it, and Filebeat/Logstash can catch it before it's moved but after it's renamed. These files have a datestamp in them, which used to be like conn.2020-01-16-14-00-00.log but has at some point more recently been changed to conn.2020_01_16_14_00_00.log. I've updated the parsing to handle both (see mmguero-dev@c8f7303). It should now handle _ (underscore), - (dash), : (colon) or `` (no character) as separators for the date.

The text was updated successfully, but these errors were encountered:

mmguero added bug Something isn't working logstash Relating to Malcolm's use of Logstash regression It worked at one point... labels Oct 20, 2022

mmguero self-assigned this Oct 20, 2022

mmguero added this to Malcolm Oct 20, 2022

mmguero closed this as completed Oct 20, 2022

mmguero moved this to Done in Malcolm Oct 20, 2022

mmguero mentioned this issue Oct 20, 2022

Modify zeek's logstash pipeline to drop event from logs name that con… cisagov/Malcolm#221

Closed

6 tasks

mmguero moved this from Done to Released in Malcolm Nov 3, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Zeek log files that have been renamed and are in the process of moving not caught correctly by Logstash #121

Zeek log files that have been renamed and are in the process of moving not caught correctly by Logstash #121

mmguero commented Oct 20, 2022

Zeek log files that have been renamed and are in the process of moving not caught correctly by Logstash #121

Zeek log files that have been renamed and are in the process of moving not caught correctly by Logstash #121

Comments

mmguero commented Oct 20, 2022