A Zeek log writer that sends logging output using TCP, optionally using TLS.
Many thanks to the ncsa/bro-zeromq-writer which I used as a model for this plugin.
$ zkg install https://github.com/fkmclane/zeek-tcp-writer.git
redef LogTCP::host = "127.0.0.1";
redef LogTCP::tcpport = 1337;
Custom filters allow you to configure the TCP writer on a per-filter basis. Note that all configuration items must be strings and are converted to the appropriate type at runtime.
@load Writer/TCP
event zeek_init() {
local remote_filter: Log::Filter = [
$name = "remote-tcp",
$writer = Log::WRITER_TCP,
$interv = 0 sec,
$config = table(["host"] = "127.0.0.1", ["tcpport"] = "1337", ["retry"] = "T")
];
Log::add_filter(Notice::LOG, remote_filter);
}
## TCP connection details. Retry will cause the
## writer to not throw an error when a connection fails
## and simply keep retrying. TLS negotiates TLS with the
## TCP server. Cert is an optional path to a trusted CA
## or server certificate. Key is sent to the remote
## server every time a connection is made.
LogTCP::host: string = "" &redef;
LogTCP::tcpport: int = 1337 &redef;
LogTCP::retry: bool = F &redef;
LogTCP::tls: bool = F &redef;
LogTCP::cert: string = "" &redef;
LogTCP::key: string = "" &redef;
## Optionally ignore any specified :zeek:type:`Log::ID` from being sent to
## TCP.
LogTCP::excluded_log_ids: set[Log::ID] &redef;
## If you want to explicitly only send certain :zeek:type:`Log::ID`
## streams, add them to this set. If the set remains empty, all will
## be sent. The :zeek:id:`LogTCP::excluded_log_ids` option
## will remain in effect as well.
LogTCP::send_logs set[Log::ID] &redef;