Bug #11461
zeek package - Web Interface does not display any log content Package/Zeek/Alerts/Real Time Inspection
0%
Description
Pfsense 2.5.0 - Release, Zeek 3.0.6_1
Confirmed that zeek is working properly by inspecting process list as well as ensuring that logs are written and available in /usr/local/logs/current.
However, the web interface does not show any log contents when selecting any of the logs (Package/Zeek/Alerts/Real Time Inspection) in the drop down menu.
History
#1
Updated by Felix S about 2 months ago
Updated by Further investigation seems to show that the web gui is leveraging zeek_alert_data.php for getting the data. However, this references /usr/local/spool/zeek/ for the log files while they are actually located in /usr/local/logs/current.
So the solution would be to correct the path for $log in zeek_alert_data.php or otherwise perform changes in the zeek configuration that the logs end up in the directory /usr/local/spool/zeek/.
#2
Updated by Felix S about 2 months ago
Further problems identified in the zeek_alerts.php:
The content is updated every 10 seconds however, the results in the current log file selection are being discarded and hence no logs are displayed anymore.
A solution might be to leverage the php code from suricata_alerts.php to implement the same sort of filtering capability as well as updating the content in the web gui from changes in the log file.