[Bro] Format of log file

Vern Paxson vern at icir.org
Mon Jul 30 08:58:38 PDT 2007


> I've a little question,  why do we've some files (log) which start with 
> t=<epoch_time>, example : alarm/notice and others with just <epoch_time>,
> example : arp/conn ?

Historically each file has used fixed-column format, without tags to
indicate the meaning of the column.  We've started migrating to tags for
just the reason you cite, to make it easier to write back-end parsers.
However, this effort is not complete.

> I ask this because i'm writing a little script and it'll 
> be more easy to only have one format. :-)

In the interim you might consider writing helper scripts that will
translate the different log files into a tagged format.

> Another thing, i'm thinking about adding one more parameter in bro.cfg, we
> may use it to specify if we want the log's time in epoch 's time or 'normal'
> time. 

By normal time do you mean human-readable timestamps?  If so, you can achieve
that using the "cf" tool in aux/cf - except it presently expects timestamps
to start at the beginning of each line, so you'd need to extend it to know
about t=<timestamp>.  (If you do, please send us a patch for the addition.)

		Vern



More information about the Bro mailing list