Bug #11461: zeek package - Web Interface does not display any log content Package/Zeek/Alerts/Real Time Inspection - pfSense Packages - pfSense bugtracker

Actions

Copy link

Bug #11461

closed

zeek package - Web Interface does not display any log content Package/Zeek/Alerts/Real Time Inspection

Added by Felix S about 3 years ago. Updated about 2 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Renato Botelho

Category:

Zeek

Target version:

Start date:

02/19/2021

Due date:

% Done:

Estimated time:

Plus Target Version:

Affected Version:

Affected Plus Version:

Affected Architecture:

Description

Pfsense 2.5.0 - Release, Zeek 3.0.6_1
Confirmed that zeek is working properly by inspecting process list as well as ensuring that logs are written and available in /usr/local/logs/current.

However, the web interface does not show any log contents when selecting any of the logs (Package/Zeek/Alerts/Real Time Inspection) in the drop down menu.

Actions

Copy link

Updated by Felix S about 3 years ago

Further investigation seems to show that the web gui is leveraging zeek_alert_data.php for getting the data. However, this references /usr/local/spool/zeek/ for the log files while they are actually located in /usr/local/logs/current.

So the solution would be to correct the path for $log in zeek_alert_data.php or otherwise perform changes in the zeek configuration that the logs end up in the directory /usr/local/spool/zeek/.

Actions

Copy link

Updated by Felix S about 3 years ago

Further problems identified in the zeek_alerts.php:
The content is updated every 10 seconds however, the results in the current log file selection are being discarded and hence no logs are displayed anymore.
A solution might be to leverage the php code from suricata_alerts.php to implement the same sort of filtering capability as well as updating the content in the web gui from changes in the log file.

Actions

Copy link