search

J-Gras / add-interfaces

Adds cluster node's interface to logs.
BSD 3-Clause "New" or "Revised" License
2 stars 3 forks source link

_interface field not showing #3

Closed mshorty closed 2 years ago

mshorty commented 2 years ago

Versions:

I installed zeek/jgras/add-interfaces using zkg. I am not seeing the _interface field in the conn.log. It looks like the scripts are getting loaded and I am running in cluster mode. Wondering if this plugin still works with zeek 5.0? Let me know if I missing something or if I can pull more info from somewhere.

node.cfg

[logger]
type=logger
host=localhost

[manager]
type=manager
host=localhost

[proxy-1]
type=proxy
host=localhost

[worker-1]
type=worker
host=localhost
interface=af_packet::ens192
lb_method=custom
lb_procs=2
pin_cpus=0,1
af_packet_fanout_id=2

[worker-2]
type=worker
host=localhost
interface=af_packet::ens224
lb_method=custom
lb_procs=2
pin_cpus=2,3
af_packet_fanout_id=3

[worker-3]
type=worker
host=localhost
interface=af_packet::ens256
lb_method=custom
lb_procs=2
pin_cpus=4,5
af_packet_fanout_id=4
J-Gras commented 2 years ago

Hi @mshorty, can you load policy/misc/loaded-scripts and share the log of loaded scripts as well as the header of you conn.log? Did you spot any error messages or warnings in reporter.log?

mshorty commented 2 years ago

Hey @J-Gras, Thanks for your quick response. I not sure how to "load" policy/misc/loaded-scripts, sorry I am new to zeek. I also don't have a reporter.log so I assume that means I am not getting any errors.

conn.log header

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   conn
#open   2022-08-18-11-35-46
#fields ts  uid id.orig_h   id.orig_p   id.resp_h   id.resp_p   proto   service duration    orig_bytes  resp_bytes  conn_state  local_orig  local_resp  missed_bytes    history orig_pkts   orig_ip_bytes   resp_pkts   resp_ip_bytes   tunnel_parents
#types  time    string  addr    port    addr    port    enum    string  interval    count   count   string  bool    bool    count   string  count   count   count   count   set[string]

loaded_scripts.log

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   loaded_scripts
#open   2022-08-18-12-08-47
#fields name
#types  string
/opt/zeek/share/zeek/base/init-bare.zeek
  /opt/zeek/share/zeek/base/bif/const.bif.zeek
  /opt/zeek/share/zeek/base/bif/types.bif.zeek
  /opt/zeek/share/zeek/base/bif/zeek.bif.zeek
  /opt/zeek/share/zeek/base/bif/stats.bif.zeek
  /opt/zeek/share/zeek/base/bif/reporter.bif.zeek
  /opt/zeek/share/zeek/base/bif/strings.bif.zeek
  /opt/zeek/share/zeek/base/bif/option.bif.zeek
  /opt/zeek/share/zeek/base/frameworks/supervisor/api.zeek
  /opt/zeek/share/zeek/base/bif/supervisor.bif.zeek
  /opt/zeek/share/zeek/base/bif/packet_analysis.bif.zeek
  /opt/zeek/share/zeek/base/bif/CPP-load.bif.zeek
  /opt/zeek/share/zeek/base/bif/plugins/Zeek_SNMP.types.bif.zeek
  /opt/zeek/share/zeek/base/bif/plugins/Zeek_KRB.types.bif.zeek
  /opt/zeek/share/zeek/base/bif/event.bif.zeek
  /opt/zeek/share/zeek/base/packet-protocols/__load__.zeek
    /opt/zeek/share/zeek/base/packet-protocols/main.zeek
      /opt/zeek/share/zeek/base/frameworks/analyzer/main.zeek
        /opt/zeek/share/zeek/base/frameworks/packet-filter/utils.zeek
        /opt/zeek/share/zeek/base/bif/analyzer.bif.zeek
    /opt/zeek/share/zeek/base/packet-protocols/root/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/root/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/ip/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/ip/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/skip/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/skip/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/ethernet/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/ethernet/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/fddi/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/fddi/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/ieee802_11/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/ieee802_11/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/ieee802_11_radio/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/ieee802_11_radio/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/linux_sll/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/linux_sll/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/nflog/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/nflog/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/null/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/null/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/ppp_serial/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/ppp_serial/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/pppoe/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/pppoe/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/vlan/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/vlan/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/mpls/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/mpls/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/vntag/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/vntag/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/udp/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/udp/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/tcp/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/tcp/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/icmp/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/icmp/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/gre/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/gre/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/iptunnel/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/iptunnel/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/ayiya/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/ayiya/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/geneve/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/geneve/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/vxlan/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/vxlan/main.zeek
    /opt/zeek/share/zeek/base/packet-protocols/teredo/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/teredo/main.zeek
        /opt/zeek/share/zeek/base/bif/plugins/Zeek_Teredo.functions.bif.zeek
    /opt/zeek/share/zeek/base/packet-protocols/gtpv1/__load__.zeek
      /opt/zeek/share/zeek/base/packet-protocols/gtpv1/main.zeek
        /opt/zeek/share/zeek/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek
/opt/zeek/share/zeek/base/init-frameworks-and-bifs.zeek
  /opt/zeek/share/zeek/base/frameworks/logging/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/logging/main.zeek
      /opt/zeek/share/zeek/base/bif/logging.bif.zeek
    /opt/zeek/share/zeek/base/frameworks/logging/postprocessors/__load__.zeek
      /opt/zeek/share/zeek/base/frameworks/logging/postprocessors/scp.zeek
      /opt/zeek/share/zeek/base/frameworks/logging/postprocessors/sftp.zeek
    /opt/zeek/share/zeek/base/frameworks/logging/writers/ascii.zeek
    /opt/zeek/share/zeek/base/frameworks/logging/writers/sqlite.zeek
    /opt/zeek/share/zeek/base/frameworks/logging/writers/none.zeek
  /opt/zeek/share/zeek/base/frameworks/broker/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/broker/main.zeek
      /opt/zeek/share/zeek/base/bif/comm.bif.zeek
      /opt/zeek/share/zeek/base/bif/messaging.bif.zeek
    /opt/zeek/share/zeek/base/frameworks/broker/store.zeek
      /opt/zeek/share/zeek/base/bif/data.bif.zeek
      /opt/zeek/share/zeek/base/bif/store.bif.zeek
    /opt/zeek/share/zeek/base/frameworks/broker/log.zeek
  /opt/zeek/share/zeek/base/frameworks/supervisor/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/supervisor/control.zeek
    /opt/zeek/share/zeek/base/frameworks/supervisor/main.zeek
  /opt/zeek/share/zeek/base/frameworks/input/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/input/main.zeek
      /opt/zeek/share/zeek/base/bif/input.bif.zeek
    /opt/zeek/share/zeek/base/frameworks/input/readers/ascii.zeek
    /opt/zeek/share/zeek/base/frameworks/input/readers/raw.zeek
    /opt/zeek/share/zeek/base/frameworks/input/readers/benchmark.zeek
    /opt/zeek/share/zeek/base/frameworks/input/readers/binary.zeek
    /opt/zeek/share/zeek/base/frameworks/input/readers/config.zeek
    /opt/zeek/share/zeek/base/frameworks/input/readers/sqlite.zeek
  /opt/zeek/share/zeek/base/frameworks/analyzer/__load__.zeek
  /opt/zeek/share/zeek/base/frameworks/files/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/files/main.zeek
      /opt/zeek/share/zeek/base/bif/file_analysis.bif.zeek
      /opt/zeek/share/zeek/base/utils/site.zeek
        /opt/zeek/share/zeek/base/utils/patterns.zeek
    /opt/zeek/share/zeek/base/frameworks/files/magic/__load__.zeek
  /opt/zeek/share/zeek/base/bif/__load__.zeek
    /opt/zeek/share/zeek/base/bif/telemetry.bif.zeek
    /opt/zeek/share/zeek/base/bif/zeekygen.bif.zeek
    /opt/zeek/share/zeek/base/bif/pcap.bif.zeek
    /opt/zeek/share/zeek/base/bif/bloom-filter.bif.zeek
    /opt/zeek/share/zeek/base/bif/cardinality-counter.bif.zeek
    /opt/zeek/share/zeek/base/bif/top-k.bif.zeek
  /opt/zeek/share/zeek/base/bif/plugins/__load__.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_ConnSize.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_DHCP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_DHCP.types.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_DNP3.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_DNS.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_File.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_Finger.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_FTP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_FTP.functions.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_HTTP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_HTTP.functions.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_Ident.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_IMAP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_IRC.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_KRB.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_Login.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_Login.functions.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_MIME.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_Modbus.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_MQTT.types.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_MQTT.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_MySQL.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_NCP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_NCP.consts.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_NetBIOS.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_NTLM.types.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_NTLM.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_NTP.types.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_NTP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_POP3.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_RADIUS.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_RDP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_RDP.types.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_RFB.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_RPC.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SIP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.consts.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMB.types.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMTP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SMTP.functions.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SNMP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SOCKS.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SSH.types.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SSH.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SSL.types.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SSL.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SSL.functions.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SSL.consts.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_Syslog.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_TCP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_TCP.types.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_TCP.functions.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_XMPP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_ARP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_UDP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_ICMP.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_Geneve.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_Teredo.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_FileHash.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_PE.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_Unified2.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_Unified2.types.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_X509.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_X509.types.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_X509.functions.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_RawReader.raw.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_Spicy.consts.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_Spicy.events.bif.zeek
    /opt/zeek/share/zeek/base/bif/plugins/Zeek_Spicy.functions.bif.zeek
/opt/zeek/lib/zeek/plugins/packages/zeek-af_packet-plugin/lib/bif/__load__.zeek
  /opt/zeek/lib/zeek/plugins/packages/zeek-af_packet-plugin/lib/bif/af_packet.bif.zeek
/opt/zeek/lib/zeek/plugins/packages/zeek-af_packet-plugin/scripts/__load__.zeek
  /opt/zeek/lib/zeek/plugins/packages/zeek-af_packet-plugin/scripts/init.zeek
/opt/zeek/share/zeek/base/init-default.zeek
  /opt/zeek/share/zeek/base/utils/active-http.zeek
    /opt/zeek/share/zeek/base/utils/exec.zeek
  /opt/zeek/share/zeek/base/utils/addrs.zeek
  /opt/zeek/share/zeek/base/utils/backtrace.zeek
  /opt/zeek/share/zeek/base/utils/conn-ids.zeek
  /opt/zeek/share/zeek/base/utils/dir.zeek
    /opt/zeek/share/zeek/base/frameworks/reporter/__load__.zeek
      /opt/zeek/share/zeek/base/frameworks/reporter/main.zeek
    /opt/zeek/share/zeek/base/utils/paths.zeek
  /opt/zeek/share/zeek/base/utils/directions-and-hosts.zeek
  /opt/zeek/share/zeek/base/utils/email.zeek
  /opt/zeek/share/zeek/base/utils/files.zeek
  /opt/zeek/share/zeek/base/utils/geoip-distance.zeek
  /opt/zeek/share/zeek/base/utils/hash_hrw.zeek
  /opt/zeek/share/zeek/base/utils/numbers.zeek
  /opt/zeek/share/zeek/base/utils/queue.zeek
  /opt/zeek/share/zeek/base/utils/strings.zeek
  /opt/zeek/share/zeek/base/utils/thresholds.zeek
  /opt/zeek/share/zeek/base/utils/time.zeek
  /opt/zeek/share/zeek/base/utils/urls.zeek
  /opt/zeek/share/zeek/base/frameworks/notice/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/notice/main.zeek
      /opt/zeek/share/zeek/base/frameworks/cluster/__load__.zeek
        /opt/zeek/share/zeek/base/frameworks/cluster/main.zeek
          /opt/zeek/share/zeek/base/frameworks/control/__load__.zeek
            /opt/zeek/share/zeek/base/frameworks/control/main.zeek
        /opt/zeek/share/zeek/base/frameworks/cluster/pools.zeek
        /opt/zeek/spool/installed-scripts-do-not-touch/auto/cluster-layout.zeek
        /opt/zeek/share/zeek/base/frameworks/cluster/setup-connections.zeek
        /opt/zeek/share/zeek/base/frameworks/cluster/nodes/logger.zeek
        /opt/zeek/share/zeek/base/frameworks/cluster/broker-stores.zeek
    /opt/zeek/share/zeek/base/frameworks/notice/weird.zeek
    /opt/zeek/share/zeek/base/frameworks/notice/actions/email_admin.zeek
    /opt/zeek/share/zeek/base/frameworks/notice/actions/page.zeek
    /opt/zeek/share/zeek/base/frameworks/notice/actions/add-geodata.zeek
    /opt/zeek/share/zeek/base/frameworks/notice/actions/pp-alarms.zeek
  /opt/zeek/share/zeek/base/frameworks/dpd/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/dpd/main.zeek
  /opt/zeek/share/zeek/base/frameworks/signatures/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/signatures/main.zeek
  /opt/zeek/share/zeek/base/frameworks/packet-filter/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/packet-filter/main.zeek
    /opt/zeek/share/zeek/base/frameworks/packet-filter/netstats.zeek
    /opt/zeek/share/zeek/base/frameworks/packet-filter/cluster.zeek
  /opt/zeek/share/zeek/base/frameworks/software/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/software/main.zeek
  /opt/zeek/share/zeek/base/frameworks/intel/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/intel/main.zeek
    /opt/zeek/share/zeek/base/frameworks/intel/files.zeek
    /opt/zeek/share/zeek/base/frameworks/intel/cluster.zeek
    /opt/zeek/share/zeek/base/frameworks/intel/input.zeek
  /opt/zeek/share/zeek/base/frameworks/config/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/config/main.zeek
    /opt/zeek/share/zeek/base/frameworks/config/input.zeek
    /opt/zeek/share/zeek/base/frameworks/config/weird.zeek
  /opt/zeek/share/zeek/base/frameworks/sumstats/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/sumstats/main.zeek
    /opt/zeek/share/zeek/base/frameworks/sumstats/plugins/__load__.zeek
      /opt/zeek/share/zeek/base/frameworks/sumstats/plugins/average.zeek
      /opt/zeek/share/zeek/base/frameworks/sumstats/plugins/hll_unique.zeek
      /opt/zeek/share/zeek/base/frameworks/sumstats/plugins/last.zeek
      /opt/zeek/share/zeek/base/frameworks/sumstats/plugins/max.zeek
      /opt/zeek/share/zeek/base/frameworks/sumstats/plugins/min.zeek
      /opt/zeek/share/zeek/base/frameworks/sumstats/plugins/sample.zeek
      /opt/zeek/share/zeek/base/frameworks/sumstats/plugins/std-dev.zeek
        /opt/zeek/share/zeek/base/frameworks/sumstats/plugins/variance.zeek
      /opt/zeek/share/zeek/base/frameworks/sumstats/plugins/sum.zeek
      /opt/zeek/share/zeek/base/frameworks/sumstats/plugins/topk.zeek
      /opt/zeek/share/zeek/base/frameworks/sumstats/plugins/unique.zeek
    /opt/zeek/share/zeek/base/frameworks/sumstats/cluster.zeek
  /opt/zeek/share/zeek/base/frameworks/tunnels/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/tunnels/main.zeek
      /opt/zeek/share/zeek/base/protocols/conn/removal-hooks.zeek
  /opt/zeek/share/zeek/base/frameworks/openflow/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/openflow/consts.zeek
    /opt/zeek/share/zeek/base/frameworks/openflow/types.zeek
    /opt/zeek/share/zeek/base/frameworks/openflow/main.zeek
    /opt/zeek/share/zeek/base/frameworks/openflow/plugins/__load__.zeek
      /opt/zeek/share/zeek/base/frameworks/openflow/plugins/ryu.zeek
      /opt/zeek/share/zeek/base/frameworks/openflow/plugins/log.zeek
      /opt/zeek/share/zeek/base/frameworks/openflow/plugins/broker.zeek
    /opt/zeek/share/zeek/base/frameworks/openflow/cluster.zeek
  /opt/zeek/share/zeek/base/frameworks/netcontrol/__load__.zeek
    /opt/zeek/share/zeek/base/frameworks/netcontrol/types.zeek
    /opt/zeek/share/zeek/base/frameworks/netcontrol/main.zeek
      /opt/zeek/share/zeek/base/frameworks/netcontrol/plugin.zeek
    /opt/zeek/share/zeek/base/frameworks/netcontrol/plugins/__load__.zeek
      /opt/zeek/share/zeek/base/frameworks/netcontrol/plugins/debug.zeek
      /opt/zeek/share/zeek/base/frameworks/netcontrol/plugins/openflow.zeek
      /opt/zeek/share/zeek/base/frameworks/netcontrol/plugins/packetfilter.zeek
      /opt/zeek/share/zeek/base/frameworks/netcontrol/plugins/broker.zeek
      /opt/zeek/share/zeek/base/frameworks/netcontrol/plugins/acld.zeek
    /opt/zeek/share/zeek/base/frameworks/netcontrol/drop.zeek
    /opt/zeek/share/zeek/base/frameworks/netcontrol/shunt.zeek
    /opt/zeek/share/zeek/base/frameworks/netcontrol/cluster.zeek
  /opt/zeek/share/zeek/base/protocols/conn/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/conn/main.zeek
    /opt/zeek/share/zeek/base/protocols/conn/contents.zeek
    /opt/zeek/share/zeek/base/protocols/conn/inactivity.zeek
    /opt/zeek/share/zeek/base/protocols/conn/polling.zeek
    /opt/zeek/share/zeek/base/protocols/conn/thresholds.zeek
  /opt/zeek/share/zeek/base/protocols/dce-rpc/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/dce-rpc/consts.zeek
    /opt/zeek/share/zeek/base/protocols/dce-rpc/main.zeek
  /opt/zeek/share/zeek/base/protocols/dhcp/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/dhcp/consts.zeek
    /opt/zeek/share/zeek/base/protocols/dhcp/main.zeek
  /opt/zeek/share/zeek/base/protocols/dnp3/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/dnp3/main.zeek
      /opt/zeek/share/zeek/base/protocols/dnp3/consts.zeek
  /opt/zeek/share/zeek/base/protocols/dns/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/dns/consts.zeek
    /opt/zeek/share/zeek/base/protocols/dns/main.zeek
  /opt/zeek/share/zeek/base/protocols/ftp/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/ftp/utils-commands.zeek
    /opt/zeek/share/zeek/base/protocols/ftp/info.zeek
    /opt/zeek/share/zeek/base/protocols/ftp/main.zeek
      /opt/zeek/share/zeek/base/protocols/ftp/utils.zeek
    /opt/zeek/share/zeek/base/protocols/ftp/files.zeek
    /opt/zeek/share/zeek/base/protocols/ftp/gridftp.zeek
      /opt/zeek/share/zeek/base/protocols/ssl/__load__.zeek
        /opt/zeek/share/zeek/base/protocols/ssl/consts.zeek
        /opt/zeek/share/zeek/base/protocols/ssl/main.zeek
        /opt/zeek/share/zeek/base/protocols/ssl/mozilla-ca-list.zeek
        /opt/zeek/share/zeek/base/protocols/ssl/ct-list.zeek
        /opt/zeek/share/zeek/base/protocols/ssl/files.zeek
          /opt/zeek/share/zeek/base/files/x509/__load__.zeek
            /opt/zeek/share/zeek/base/files/x509/main.zeek
              /opt/zeek/share/zeek/base/files/hash/__load__.zeek
                /opt/zeek/share/zeek/base/files/hash/main.zeek
            /opt/zeek/share/zeek/base/files/x509/certificate-event-cache.zeek
            /opt/zeek/share/zeek/base/files/x509/log-ocsp.zeek
  /opt/zeek/share/zeek/base/protocols/http/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/http/main.zeek
    /opt/zeek/share/zeek/base/protocols/http/entities.zeek
    /opt/zeek/share/zeek/base/protocols/http/utils.zeek
    /opt/zeek/share/zeek/base/protocols/http/files.zeek
  /opt/zeek/share/zeek/base/protocols/imap/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/imap/main.zeek
  /opt/zeek/share/zeek/base/protocols/irc/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/irc/main.zeek
    /opt/zeek/share/zeek/base/protocols/irc/dcc-send.zeek
    /opt/zeek/share/zeek/base/protocols/irc/files.zeek
  /opt/zeek/share/zeek/base/protocols/krb/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/krb/main.zeek
      /opt/zeek/share/zeek/base/protocols/krb/consts.zeek
    /opt/zeek/share/zeek/base/protocols/krb/files.zeek
  /opt/zeek/share/zeek/base/protocols/modbus/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/modbus/consts.zeek
    /opt/zeek/share/zeek/base/protocols/modbus/main.zeek
  /opt/zeek/share/zeek/base/protocols/mqtt/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/mqtt/consts.zeek
  /opt/zeek/share/zeek/base/protocols/mysql/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/mysql/main.zeek
      /opt/zeek/share/zeek/base/protocols/mysql/consts.zeek
  /opt/zeek/share/zeek/base/protocols/ntlm/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/ntlm/main.zeek
  /opt/zeek/share/zeek/base/protocols/ntp/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/ntp/main.zeek
    /opt/zeek/share/zeek/base/protocols/ntp/consts.zeek
  /opt/zeek/share/zeek/base/protocols/pop3/__load__.zeek
  /opt/zeek/share/zeek/base/protocols/radius/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/radius/main.zeek
      /opt/zeek/share/zeek/base/protocols/radius/consts.zeek
  /opt/zeek/share/zeek/base/protocols/rdp/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/rdp/consts.zeek
    /opt/zeek/share/zeek/base/protocols/rdp/main.zeek
  /opt/zeek/share/zeek/base/protocols/rfb/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/rfb/main.zeek
  /opt/zeek/share/zeek/base/protocols/sip/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/sip/main.zeek
  /opt/zeek/share/zeek/base/protocols/snmp/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/snmp/main.zeek
  /opt/zeek/share/zeek/base/protocols/smb/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/smb/consts.zeek
    /opt/zeek/share/zeek/base/protocols/smb/const-dos-error.zeek
    /opt/zeek/share/zeek/base/protocols/smb/const-nt-status.zeek
    /opt/zeek/share/zeek/base/protocols/smb/main.zeek
    /opt/zeek/share/zeek/base/protocols/smb/smb1-main.zeek
    /opt/zeek/share/zeek/base/protocols/smb/smb2-main.zeek
    /opt/zeek/share/zeek/base/protocols/smb/files.zeek
  /opt/zeek/share/zeek/base/protocols/smtp/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/smtp/main.zeek
    /opt/zeek/share/zeek/base/protocols/smtp/entities.zeek
    /opt/zeek/share/zeek/base/protocols/smtp/files.zeek
  /opt/zeek/share/zeek/base/protocols/socks/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/socks/consts.zeek
    /opt/zeek/share/zeek/base/protocols/socks/main.zeek
  /opt/zeek/share/zeek/base/protocols/ssh/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/ssh/main.zeek
  /opt/zeek/share/zeek/base/protocols/syslog/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/syslog/consts.zeek
    /opt/zeek/share/zeek/base/protocols/syslog/main.zeek
  /opt/zeek/share/zeek/base/protocols/tunnels/__load__.zeek
  /opt/zeek/share/zeek/base/protocols/xmpp/__load__.zeek
    /opt/zeek/share/zeek/base/protocols/xmpp/main.zeek
  /opt/zeek/share/zeek/base/files/pe/__load__.zeek
    /opt/zeek/share/zeek/base/files/pe/consts.zeek
    /opt/zeek/share/zeek/base/files/pe/main.zeek
  /opt/zeek/share/zeek/base/files/extract/__load__.zeek
    /opt/zeek/share/zeek/base/files/extract/main.zeek
  /opt/zeek/share/zeek/base/misc/find-checksum-offloading.zeek
  /opt/zeek/share/zeek/base/misc/find-filtered-trace.zeek
  /opt/zeek/share/zeek/base/misc/installation.zeek
  /opt/zeek/share/zeek/base/misc/version.zeek
/opt/zeek/share/zeek/builtin-plugins/__preload__.zeek
  /opt/zeek/share/zeek/builtin-plugins/Zeek_Spicy/__preload__.zeek
/opt/zeek/share/zeek/builtin-plugins/__load__.zeek
  /opt/zeek/share/zeek/builtin-plugins/Zeek_Spicy/__load__.zeek
    /opt/zeek/share/zeek/builtin-plugins/Zeek_Spicy/Zeek/Spicy/bare.zeek
    /opt/zeek/share/zeek/builtin-plugins/Zeek_Spicy/Zeek/Spicy/default.zeek
/opt/zeek/spool/installed-scripts-do-not-touch/site/local.zeek
  /opt/zeek/share/zeek/policy/misc/loaded-scripts.zeek
  /opt/zeek/share/zeek/policy/tuning/defaults/__load__.zeek
    /opt/zeek/share/zeek/policy/tuning/defaults/packet-fragments.zeek
    /opt/zeek/share/zeek/policy/tuning/defaults/warnings.zeek
    /opt/zeek/share/zeek/policy/tuning/defaults/extracted_file_limits.zeek
  /opt/zeek/share/zeek/policy/misc/capture-loss.zeek
  /opt/zeek/share/zeek/policy/misc/stats.zeek
  /opt/zeek/share/zeek/policy/frameworks/software/vulnerable.zeek
  /opt/zeek/share/zeek/policy/frameworks/software/version-changes.zeek
  /opt/zeek/share/zeek/policy/protocols/ftp/software.zeek
  /opt/zeek/share/zeek/policy/protocols/smtp/software.zeek
  /opt/zeek/share/zeek/policy/protocols/ssh/software.zeek
  /opt/zeek/share/zeek/policy/protocols/http/software.zeek
  /opt/zeek/share/zeek/policy/protocols/dns/detect-external-names.zeek
  /opt/zeek/share/zeek/policy/protocols/ftp/detect.zeek
  /opt/zeek/share/zeek/policy/protocols/conn/known-hosts.zeek
  /opt/zeek/share/zeek/policy/protocols/conn/known-services.zeek
  /opt/zeek/share/zeek/policy/protocols/ssl/known-certs.zeek
  /opt/zeek/share/zeek/policy/protocols/ssl/validate-certs.zeek
  /opt/zeek/share/zeek/policy/protocols/ssl/log-hostcerts-only.zeek
  /opt/zeek/share/zeek/policy/protocols/ssh/geo-data.zeek
  /opt/zeek/share/zeek/policy/protocols/ssh/detect-bruteforcing.zeek
  /opt/zeek/share/zeek/policy/protocols/ssh/interesting-hostnames.zeek
  /opt/zeek/share/zeek/policy/protocols/http/detect-sqli.zeek
  /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
  /opt/zeek/share/zeek/policy/frameworks/files/detect-MHR.zeek
  /opt/zeek/share/zeek/policy/frameworks/notice/extend-email/hostnames.zeek
/opt/zeek/share/zeek/zeekctl/__load__.zeek
  /opt/zeek/share/zeek/zeekctl/main.zeek
    /opt/zeek/share/zeek/policy/frameworks/control/controllee.zeek
/opt/zeek/share/zeek/zeekctl/auto.zeek
  /opt/zeek/spool/installed-scripts-do-not-touch/auto/local-networks.zeek
  /opt/zeek/spool/installed-scripts-do-not-touch/auto/zeekctl-config.zeek
mshorty commented 2 years ago

I do see the following which led me to believe the package was getting loaded.

/opt/zeek/spool/installed-scripts-do-not-touch/site

add-interfaces -> packages/add-interfaces/
J-Gras commented 2 years ago

The loaded_scripts.log indicates that the packet isn't loaded. Can you verify that @load packages is added to your local.zeek (found in <path to zeek>/share/zeek/site/local.zeek) and the packet is loaded using zkg list loaded? See zkg-doc for more details.

mshorty commented 2 years ago 
zkg list loaded
zeek/j-gras/add-interfaces (installed: 2.0.0) - Adds cluster node's interface to logs.
zeek/j-gras/zeek-af_packet-plugin (installed: 3.2.0) - This plugin provides native AF_Packet support for Zeek.
J-Gras commented 2 years ago

How about your local.zeek?

mshorty commented 2 years ago

Sorry, I was trying to get out the door when I sent the last message. Looks like that was the issue. All I had to do was uncomment the @load packages out of the /share/zeek/site/local.zeek.

Sorry for the trouble and thanks again for the help. I figured the issues was one on two things. The package not being compatible with the zeek version or more then likely me not knowing what I am doing. Glad it turned out to be on me. Again thanks for all the help 

#fields _interface  ts  uid id.orig_h   id.orig_p   id.resp_h   id.resp_p   proto   service duration    orig_bytes  resp_bytes  conn_state  local_orig  local_resp  missed_bytes    history orig_pkts   orig_ip_bytes   resp_pkts   resp_ip_bytes   tunnel_parents
J-Gras commented 2 years ago

You are welcome! Given that Zeek is shipped with zkg and zkg reports the packages are loaded this isn't intuitive at all.