[Bro] Format of log file
jp.luiggi at free.fr
Mon Jul 30 10:34:46 PDT 2007
On Mon, Jul 30, 2007 at 09:16:06AM -0700, Robin Sommer wrote:
> On Fri, Jul 27, 2007 at 16:52 -0400, Jean-Philippe Luiggi wrote:
> > Just a simple question, why do we've some files which start with
> > t=<epoch_time> ("alarm/notice") and others with just <epoch_time>
> > ("arp/conn") ?
> I think the notice/alarm files are the only ones starting with "t="
> but they only do that if you use use_tagging=T. We added this tagged
> format to make these files more easily parseable (and also readable
> IMHO) though you're right that this is inconsistent with other logs.
> However, each log file looks pretty much different anyway and so I
> would think that you always need some file-specific parsing logic.
Yes i agree with you, i'm sure i'll allways have some specific parsing logic to
If you agree with the fact to use tagging as the rules of choice, we may
made a jump on this and develop it for the others files ?
More information about the Bro