Steps for running a custom script in Zeek(bro) NSM and generating notice in log files?

Question

I am a beginner with Zeek NSM. I have written a script that generates simply notice logs. I don't know where should I place this script or which steps should I follow to generate notice logs or my custom logs

I have already go through the documentation of Zeek and figure out these basic steps.

1. make a folder in /nsm/bro/share/bro/site/ with your script name.

2. place your script in this folder.

3. make a new script main.bro and write @load <mycustomScript>.bro in it.

4. Than write your folder name (in which you place your script) in loaded_scripts.bro.

5. Than run the following commands...

i. broctl stop

ii. broctl check

iii. broctl deploy

iv. broctl start

You will find the logs in the same folder (in which we place our script). but after doing all these steps, there are still no logs in that folder.

....................................... basic script for generating notice logs: .......................................

@load base/frameworks/notice
 
export {
   redef enum Notice::Type += {
    Test_Notice,
 };

 event bro_init()
 {
   NOTICE([$note=Test_Notice, $msg=fmt("Testing the Notice Framework")]);
 } 

Kindly tell me is this the write sequence of commands to run a custom script? or there is something wrong? or there some additional task required to run the script and generate notice logs?

Answer 1

I found these steps correct. /opt/bro/share/bro/site/local.bro

You can add custom scripts in /opt/bro/share/bro/policy/ and then reference the scripts in /opt/bro/share/bro/site/local.bro. Below is an example how to do so:

Create a new directory under /opt/bro/share/bro/policy/. sudo mkdir /opt/bro/share/bro/policy/custom-scripts

Add your custom script(s) and __load__.bro to this directory.

Modify __load__.bro to reference the scripts in the custom-scripts directory:

@load ./script1.bro @load ./script2.bro

Edit /opt/bro/share/bro/site/local.bro so that it will load the new scripts in /opt/bro/share/bro/policy/custom-scripts, by adding @load custom-scripts at the bottom of the file and saving the file.

Restart Bro. sudo so-bro-restart

Check /nsm/bro/logs/current/loaded_scripts.log to see if your custom script(s) has/have been loaded.

Check /nsm/bro/logs/current/reporter.log for clues if your custom script(s) is/are not working as desired.

To check and see if a Bro script has fired a Notice, go to Kibana and check the Bro Notices dashboard. Alternatively, you can check for entries in /nsm/bro/logs/current/notice.log.