Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

replace logging component of file scanning #556

Open
mmguero opened this issue Jan 16, 2025 · 0 comments
Open

replace logging component of file scanning #556

mmguero opened this issue Jan 16, 2025 · 0 comments
Assignees
@mmguero
Labels
carving Relating to carving (extraction) of files from traffic and the scanning of those files logstash Relating to Malcolm's use of Logstash
Milestone
v25.02.0

Comments

@mmguero
Copy link
Collaborator

mmguero commented Jan 16, 2025

The code that handles the logging in file-monitor, logging the results of the file scanners like capa, clamav, yara, etc., is just of hacky, in that it writes to sort of a fake Zeek signatures.log file that gets handled with the rest of the zeek logs.

I want to change that logging code to skip that intermediate step and simply send straight to logstash (or, if that's not possible, our filebeat TCP listener) instead. This will be something that will make it easier to handle more varied output from Strelka (see #485),
@mmguero mmguero added carving Relating to carving (extraction) of files from traffic and the scanning of those files logstash Relating to Malcolm's use of Logstash labels Jan 16, 2025
@mmguero mmguero added this to the v25.02.0 milestone Jan 16, 2025
@mmguero mmguero self-assigned this Jan 16, 2025
@mmguero mmguero added this to Malcolm Jan 16, 2025
@mmguero mmguero moved this to Todo (develop) in Malcolm Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
carving Relating to carving (extraction) of files from traffic and the scanning of those files logstash Relating to Malcolm's use of Logstash
Projects
Malcolm
Status: Todo (develop)
Milestone
v25.02.0
Development

No branches or pull requests
1 participant
@mmguero