├── .gitignore
├── LICENSE
├── README.md
├── scripts
    ├── __load__.zeek
    ├── import.zeek
    ├── main.zeek
    └── postprocessor.zeek
└── zkg.meta


/.gitignore:
--------------------------------------------------------------------------------
1 | .state
2 | *.log
3 | *.sw?
4 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2018, Tenzir GmbH
 2 | All rights reserved.
 3 | 
 4 | Redistribution and use in source and binary forms, with or without
 5 | modification, are permitted provided that the following conditions are met:
 6 | 
 7 |     1. Redistributions of source code must retain the above copyright
 8 |        notice, this list of conditions and the following disclaimer.
 9 | 
10 |     2. Redistributions in binary form must reproduce the above copyright
11 |        notice, this list of conditions and the following disclaimer in the
12 |        documentation and/or other materials provided with the distribution.
13 | 
14 |     3. Neither the name of the copyright holder nor the names of its
15 |        contributors may be used to endorse or promote products derived from
16 |        this software without specific prior written permission.
17 | 
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
22 | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 | POSSIBILITY OF SUCH DAMAGE.
29 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Zeek & Tenzir
 2 | 
 3 | This [Zeek](https://zeek.org) package provides the integration with
 4 | [Tenzir](https://docs.tenzir.com).
 5 | 
 6 | ## Get Started
 7 | 
 8 | Install the package and you're good to go:
 9 | 
10 | ```bash
11 | zkg install zeek-tenzir
12 | ```
13 | 
14 | ## Use Cases
15 | 
16 | Here are a few things you can do with the Tenzir package.
17 | 
18 | ### Post-process Logs with Pipelines
19 | 
20 | ```zeek
21 | event zeek_init()
22 |   {
23 |   Tenzir::postprocess("import"); 
24 |   }
25 | ```
26 | 
27 | ## License
28 | 
29 | This Zeek package comes with a [BSD 3-clause license](LICENSE).
30 | 


--------------------------------------------------------------------------------
/scripts/__load__.zeek:
--------------------------------------------------------------------------------
1 | @load ./main
2 | @load ./postprocessor
3 | 


--------------------------------------------------------------------------------
/scripts/import.zeek:
--------------------------------------------------------------------------------
 1 | @load tenzir
 2 | 
 3 | # Activate log rotation by redef the rotation interval to a non-zero value.
 4 | redef Log::default_rotation_interval = 10 mins;
 5 | 
 6 | event zeek_init()
 7 |   {
 8 |   Tenzir::postprocess("import");
 9 |   }
10 | 


--------------------------------------------------------------------------------
/scripts/main.zeek:
--------------------------------------------------------------------------------
1 | module Tenzir;
2 | 
3 | # No package-global logic here yet. Please move along.
4 | 


--------------------------------------------------------------------------------
/scripts/postprocessor.zeek:
--------------------------------------------------------------------------------
 1 | ##! This script defines utilities for post-processing Zeek logs with a Tenzir
 2 | ##! pipeline.
 3 | ##!
 4 | ##! Usage:
 5 | ##!
 6 | ##!      event zeek_init()
 7 | ##!        {
 8 | ##!        # Import every log into a Tenzir node and delete it afterwards.
 9 | ##!        Tenzir::postprocess("import");
10 | ##!        }
11 | ##!
12 | 
13 | @load base/frameworks/logging
14 | 
15 | module Tenzir;
16 | 
17 | export {
18 |   ## Postprocesses logs with registered pipelines.
19 |   ##
20 |   ## info: A record holding meta-information about the log file to be
21 |   ##       postprocessed.
22 |   ##
23 |   ## Returns: True unconditionally after executing all registered pipelines.
24 |   global postprocessor: function(info: Log::RotationInfo): bool;
25 | 
26 |   ## Registers a pipeline for post-processing of a log file.
27 |   ##
28 |   ## pipeline: The pipeline operating on events, e.g., `import`.
29 |   ##
30 |   global postprocess: function(pipeline: string);
31 | 
32 |   ## Flag that controls whether to `rm -f` the original file after successfully
33 |   ## executing a Tenzir pipeline. This flag only has an effect if there exists
34 |   ## exactly one registered pipeline.
35 |   const delete_after_postprocesing = T &redef;
36 | }
37 | 
38 | ## The set of pipelines to execute for every rotated log file.
39 | global postprocessor_pipelines: set[string];
40 | 
41 | function Tenzir::postprocessor(info: Log::RotationInfo): bool
42 |   {
43 |   if ( info$writer != Log::WRITER_ASCII )
44 |     return T;
45 | 
46 |   for ( pipeline in postprocessor_pipelines )
47 |     {
48 |     local filename = info$fname;
49 |     local tql = fmt("from file %s read zeek-tsv | %s", filename, pipeline);
50 |     local cmd = fmt("tenzir %s", safe_shell_quote(tql));
51 |     if ( |postprocessor_pipelines| == 1 && delete_after_postprocesing )
52 |       cmd = fmt("%s && rm -f %s", cmd, safe_shell_quote(filename));
53 |     system(cmd);
54 |     }
55 | 
56 |   return T;
57 |   }
58 | 
59 | function Tenzir::postprocess(pipeline: string)
60 |   {
61 |   add postprocessor_pipelines[pipeline];
62 |   }
63 | 
64 | # Hook ourselves into the postprocessing.
65 | redef Log::default_rotation_postprocessors += {
66 |   [Log::WRITER_ASCII] = Tenzir::postprocessor,
67 | };
68 | 


--------------------------------------------------------------------------------
/zkg.meta:
--------------------------------------------------------------------------------
 1 | [package]
 2 | aliases = tenzir
 3 | tags = tenzir, pipelines, logs, log shipping, postprocessor, rotation
 4 | script_dir = scripts
 5 | summary = The official Tenzir integration for Zeek
 6 | description = This package is the official Zeek integration for Tenzir.
 7 | depends =
 8 | 	zeek >=4.0.0
 9 | 
10 | [template]
11 | source = https://github.com/zeek/package-template
12 | version = v2.0.0
13 | zkg_version = 2.13.0
14 | features = license
15 | 
16 | [template_vars]
17 | name = Tenzir
18 | author = Tenzir Engineering <engineering@tenzir.com>
19 | license = bsd-3
20 | 


--------------------------------------------------------------------------------