Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bring your own zeek #731

Closed
alfred-landrum opened this issue May 4, 2020 · 2 comments
Closed

bring your own zeek #731

alfred-landrum opened this issue May 4, 2020 · 2 comments
Labels
Epic
Milestone
Brim v0.10.0

Comments

@alfred-landrum
Copy link
Contributor

A user should be able to use their own Zeek executable & scripts to perform the pcap to zeek log conversion that occurs during pcap ingest.

This feature would enable:

  • Zeek savvy users to use their own customized scripts.
  • Zeek script authors to use Brim as a script development aid.
  • Brim/zq developers to easily test modifications to the packaged Zeek bundle included in Brim.

To implement this, we should reorganize how Zeek is launched from Brim zqd. I suggest we use the idea of a "Zeek runner", a command or script that acts as the interface for Zeek to zqd. It's contract with zqd would be:

  • zqd is passed a path to a runner script/executable.
  • The runner is launched with no command arguments.
  • The runner's working directory is set to the desired output location for the generated zeek logs.
  • The runner is responsible for launching zeek with any needed command line arguments and environment variables.
  • The runner is responsible for ensuring pcap data from stdin reaches zeek.

This is nearly what the 'zeek' script in brimsec/zeek does today, with the exception of the zeek cli arguments that are currently specified in the zqd source.

Brim would allow a user to specify a location to a runner, defaulting to the one we include in zdeps. We can also allow a user to override the runner with an environment variable.
This was referenced May 4, 2020
Merged
Merged
Merged
@alfred-landrum
Copy link
Contributor Author

I've done an initial round of work on the 'zeek runner'. Since it's across all 3 of our main dev repos, all of the tests are failing, but I've verified the PR's work with each other on mac & windows. I'll wait until #634 is in, then use that to make the Brim integration tests pass.

@alfred-landrum alfred-landrum added this to the Brim 0.10.0 milestone May 4, 2020
@philrz philrz mentioned this issue May 6, 2020
Closed
alfred-landrum added a commit that referenced this issue May 8, 2020
@alfred-landrum
use zeekrunner scripts and zqd cli option (#732)
0d142c5 
This is part of the brimsec/brim repo side work for #731.

Use the -zeekrunner cli option to zqd ( brimdata/zed#718 ), defaulting to the value of environment variable BRIM_ZEEK_RUNNER, else to the zeekrunner included from the zdeps zeek artifact ( brimdata/zeek#23 ).
@github-actions github-actions bot mentioned this issue May 11, 2020
Closed
@philrz
Copy link
Contributor

philrz commented May 27, 2020

The attached video shows the complete feature in action as of Brim commit ff40f0e. I have a Zeek v3.1.3 compiled on my laptop in /usr/local/zeek-3.1.3. I copy the zeekrunner script from Brim to this base directory for my alternate Zeek, then import a pcap file in Brim. The ps output shows that the generated events in Brim are coming from my Zeek v3.1.3. Therefore I'm free to do whatever customizations/additions to my personal Zeek & see the results of that in the app.

Verify.mp4.zip

@philrz philrz closed this as completed May 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Epic
Projects
None yet
Milestone
Brim v0.10.0
Development

No branches or pull requests
2 participants
@alfred-landrum @philrz