Excluding attributes from log files #1509

etiennevandebijl · 2021-04-14T15:34:07Z

etiennevandebijl
Apr 14, 2021

Is there a way to exclude (optional) attributes from the log files when using zeek -r file.pcap ?
Suppose I want to get rid of the SSH host_key attribute, how can I achieve this without changing the SSH.main file but with scripts?

Answered by jsiwek

Apr 19, 2021

A logging filter should be able to help with that:

event zeek_init()
	{
	Log::remove_default_filter(SSH::LOG);
	Log::add_filter(SSH::LOG, [$name="my-filter", $exclude=set("host_key")]);
	}

More info about filters at these places in case it helps you find anything interesting:

View full answer

jsiwek · 2021-04-19T23:55:41Z

jsiwek
Apr 19, 2021

A logging filter should be able to help with that:

event zeek_init()
	{
	Log::remove_default_filter(SSH::LOG);
	Log::add_filter(SSH::LOG, [$name="my-filter", $exclude=set("host_key")]);
	}

More info about filters at these places in case it helps you find anything interesting:

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Excluding attributes from log files #1509

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

Select a reply

Excluding attributes from log files #1509

etiennevandebijl Apr 14, 2021

Replies: 1 comment

jsiwek Apr 19, 2021

etiennevandebijl
Apr 14, 2021

jsiwek
Apr 19, 2021