[Bro] Format of log file
vern at icir.org
Mon Jul 30 08:58:38 PDT 2007
> I've a little question, why do we've some files (log) which start with
> t=<epoch_time>, example : alarm/notice and others with just <epoch_time>,
> example : arp/conn ?
Historically each file has used fixed-column format, without tags to
indicate the meaning of the column. We've started migrating to tags for
just the reason you cite, to make it easier to write back-end parsers.
However, this effort is not complete.
> I ask this because i'm writing a little script and it'll
> be more easy to only have one format. :-)
In the interim you might consider writing helper scripts that will
translate the different log files into a tagged format.
> Another thing, i'm thinking about adding one more parameter in bro.cfg, we
> may use it to specify if we want the log's time in epoch 's time or 'normal'
By normal time do you mean human-readable timestamps? If so, you can achieve
that using the "cf" tool in aux/cf - except it presently expects timestamps
to start at the beginning of each line, so you'd need to extend it to know
about t=<timestamp>. (If you do, please send us a patch for the addition.)
More information about the Bro