Thank you for the reply. I have changed the files as suggested by you
(please find new files attached for reference). I loaded both
zeek_mail.zeek and zeek_mail2.zeek to local.zeek ( eg. @load
/usr/local/bro/share/bro/site/zeek_mail.zeek). I restarted the zeekctl
`zeekctl deploy`. Then I logged out of my AWS ec2 server and logged back
in. I can see ssh.log under $PREFIX/logs/current but no notice.log and I
did not receive an email . I am not sure if there is something else I am
Please note that I have MailTo="email@address" set in my zeekctl.cfg and I
can send an email using sendmail manually and Zeek seems to send emails on
connection summary and capture loss fine. I tried most of the resources
available to the best of my efforts on notice available online
without success. Any help would be much appreciated.
On Thu, 30 May 2019 at 14:30, anthony kasza <anthony.kasza(a)gmail.com> wrote:
In zeek_mail.zeek, change "$note=Notice::Login_attempted" to
"$note=SSH::Login_attempted". This is because you exported the additional
notice type from the SSH module namespace.
I'm not completely sure, but you may need to change the second @load
directive in zeek_mail2.zeek to "zeek_mail" instead of
On Thu, May 30, 2019, 03:48 Merril Mathew <merril.mathew(a)baby2body.com>
I am very new to Zeek. I was trying to send an email on any SSH attempt,
regardless of success or fail. The notice framework is really confusing and
I could not find much information online. :) Would be great if someone can
explain to me what I need to do to solve this specific issue.
Please find attached what I have tried so far. Please also note that
whenever I tried to run my scripts with pcap file it generates a
notice.log. However if I load my script to local.zeek then I cannot find
any notice.log in $PREFIX/bro/logs/current.
zeek_mail.zeek is where the Notice implementation is done and
zeek_mail2.zeek is where the notice hook is applied.
Zeek mailing list