[Bro] Format of log file
robin at icir.org
Mon Jul 30 09:16:06 PDT 2007
On Fri, Jul 27, 2007 at 16:52 -0400, Jean-Philippe Luiggi wrote:
> Just a simple question, why do we've some files which start with
> t=<epoch_time> ("alarm/notice") and others with just <epoch_time>
> ("arp/conn") ?
I think the notice/alarm files are the only ones starting with "t="
but they only do that if you use use_tagging=T. We added this tagged
format to make these files more easily parseable (and also readable
IMHO) though you're right that this is inconsistent with other logs.
However, each log file looks pretty much different anyway and so I
would think that you always need some file-specific parsing logic.
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro