[Bro] http.log reorder and skip fields, how?

Seth Hall seth at icir.org
Fri Apr 13 14:04:20 PDT 2012


On Apr 13, 2012, at 3:53 PM, Dalton Porter wrote:

> Seth, thanks for the info. I tried this:
> event bro_init() &priority=5
>  {
>  Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
>  local filter: Log::Filter = [$name="myfilt", $path="myfilt", $include=set("id.orig_h","id.resp_h","ts")];
>  Log::add_filter(HTTP::LOG,filter);
>  }
>  
> But in the output file, the fields are ordered ts,orig,resp.  Can I control the ordering?
> Is there an easy way to change field separator?
> Thank you.

You can't control ordering (sets aren't ordered either).  If you need to change the order, you could do that by processing the logs through bro-cut like this:

	cat myfilt.log | bro-cut -f id.orig_h, id.resp_h, ts

Also, your code above should look like this…

event bro_init()
	{
	Log::add_filter(HTTP::LOG,[$name="myfilt", $path="myfilt", $include=set("id.orig_h","id.resp_h","ts")]);
	}

You shouldn't be redefining the stream.  Keep in mind that this will still create the full http log since you aren't removing the default filter.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list