Skip to content

Instantly share code, notes, and snippets.

@traetox

traetox/file_follow.conf

Created November 13, 2020 20:12
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save traetox/901e4fa60276c7f7c5f171f483bc1b36 to your computer and use it in GitHub Desktop.
Save traetox/901e4fa60276c7f7c5f171f483bc1b36 to your computer and use it in GitHub Desktop.
Download ZIP
Zeek File Follower Config
Raw
file_follow.conf
[Global]
Connection-Timeout = 0
State-Store-Location=/opt/gravwell/etc/file_follow.state
Log-Level=WARN #options are OFF INFO WARN ERROR
Log-File=/opt/gravwell/log/file_follow.log
# Maximum number of files to watch before rotating out old ones, this can be bumped but will need sysctl flags adjusted
Max-Files-Watched=128
[Follower "barnyard2"]
Timestamp-Format-Override="UnixMilli"
Ignore-Line-Prefix="#"
Base-Directory="/logs/"
File-Filter="barnyard2.log"
Tag-Name="zeekbarnyard2"
[Follower "conn"]
Timestamp-Format-Override="UnixMilli"
Ignore-Line-Prefix="#"
Base-Directory="/logs/"
File-Filter="conn.log"
Tag-Name="zeekconn"
[Follower "dce_rpc"]
Timestamp-Format-Override="UnixMilli"
Ignore-Line-Prefix="#"
Base-Directory="/logs/"
File-Filter="dce_rpc.log"
Tag-Name="zeekdce_rpc"
[Follower "dhcp"]
Timestamp-Format-Override="UnixMilli"
Ignore-Line-Prefix="#"
Base-Directory="/logs/"
File-Filter="dhcp.log"
Tag-Name="zeekdhcp"
[Follower "dnp3"]
Timestamp-Format-Override="UnixMilli"
Ignore-Line-Prefix="#"
Base-Directory="/logs/"
File-Filter="dnp3.log"
Tag-Name="zeekdnp3"
[Follower "dns"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="dns.log"
Tag-Name="zeekdns"
[Follower "dpd"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="dpd.log"
Tag-Name="zeekdpd"
[Follower "files"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="files.log"
Tag-Name="zeekfiles"
[Follower "ftp"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="ftp.log"
Tag-Name="zeekftp"
[Follower "http"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="http.log"
Tag-Name="zeekhttp"
[Follower "intel"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="intel.log"
Tag-Name="zeekintel"
[Follower "irc"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="irc.log"
Tag-Name="zeekirc"
[Follower "kerberos"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="kerberos.log"
Tag-Name="zeekkerberos"
[Follower "known_certs"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="known_certs.log"
Tag-Name="zeekknown_certs"
[Follower "known_hosts"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="known_hosts.log"
Tag-Name="zeekknown_hosts"
[Follower "known_modbus"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="known_modbus.log"
Tag-Name="zeekknown_modbus"
[Follower "known_services"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="known_services.log"
Tag-Name="zeekknown_services"
[Follower "modbus"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="modbus.log"
Tag-Name="zeekmodbus"
[Follower "modbus_register_change"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="modbus_register_change.log"
Tag-Name="zeekmodbus_register_change"
[Follower "mysql"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="mysql.log"
Tag-Name="zeekmysql"
[Follower "notice_alarm"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="notice_alarm.log"
Tag-Name="zeeknotice_alarm"
[Follower "notice"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="notice.log"
Tag-Name="zeeknotice"
[Follower "ntlm"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="ntlm.log"
Tag-Name="zeekntlm"
[Follower "ocsp"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="ocsp.log"
Tag-Name="zeekocsp"
[Follower "openflow"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="openflow.log"
Tag-Name="zeekopenflow"
[Follower "pe"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="pe.log"
Tag-Name="zeekpe"
[Follower "radius"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="radius.log"
Tag-Name="zeekradius"
[Follower "rdp"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="rdp.log"
Tag-Name="zeekrdp"
[Follower "rfb"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="rfb.log"
Tag-Name="zeekrfb"
[Follower "signatures"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="signatures.log"
Tag-Name="zeeksignatures"
[Follower "sip"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="sip.log"
Tag-Name="zeeksip"
[Follower "smb_cmd"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="smb_cmd.log"
Tag-Name="zeeksmb_cmd"
[Follower "smb_files"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="smb_files.log"
Tag-Name="zeeksmb_files"
[Follower "smb_mapping"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="smb_mapping.log"
Tag-Name="zeeksmb_mapping"
[Follower "smtp"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="smtp.log"
Tag-Name="zeeksmtp"
[Follower "snmp"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="snmp.log"
Tag-Name="zeeksnmp"
[Follower "socks"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="socks.log"
Tag-Name="zeeksocks"
[Follower "software"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="software.log"
Tag-Name="zeeksoftware"
[Follower "ssh"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="ssh.log"
Tag-Name="zeekssh"
[Follower "ssl"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="ssl.log"
Tag-Name="zeekssl"
[Follower "sy"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="syslog.log"
Tag-Name="zeeksyslog"
[Follower "tunnel"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="tunnel.log"
Tag-Name="zeektunnel"
[Follower "weird"]
Ignore-Line-Prefix="#"
Timestamp-Format-Override="UnixMilli"
Base-Directory="/logs/"
File-Filter="weird.log"
Tag-Name="zeekweird"
[Follower "x509"]
Timestamp-Format-Override="UnixMilli"
Ignore-Line-Prefix="#"
Base-Directory="/logs/"
File-Filter="x509.log"
Tag-Name="zeekx509"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment