It's hard to answer if it's a good idea.  It really depends on the desired goal of your manager.

From a security perspective, I'd rather have that data on the conn log. You can correlate the conn to the http traffic or any other protocol, but not reduce the visibility by pinning it to a single protocol.

I would need to know more about the goals and you are always free to reach out to me directly if you'd prefer.

Hope this helps.

-PK

On Tue, Dec 22, 2020 at 3:02 AM Robert Gabriel via zeek <zeek@lists.zeek.org> wrote:
Hi,

My manager wants geolocation info in the http.log.

I have looked at several scripts and only see geolocation info in conn.log and ssh.log etc.

Is it a sound idea to have geolocation info in the http.log?

Thank you.

--
zeek mailing list -- zeek@lists.zeek.org
To unsubscribe send an email to zeek-leave@lists.zeek.org


--

Patrick Kelley, CISSP, C|EH, ITIL

CTO
(o) (478) 309-CRIT (2748)