[Bro] http.log reorder and skip fields, how?
seth at icir.org
Fri Apr 13 14:04:20 PDT 2012
On Apr 13, 2012, at 3:53 PM, Dalton Porter wrote:
> Seth, thanks for the info. I tried this:
> event bro_init() &priority=5
> Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
> local filter: Log::Filter = [$name="myfilt", $path="myfilt", $include=set("id.orig_h","id.resp_h","ts")];
> But in the output file, the fields are ordered ts,orig,resp. Can I control the ordering?
> Is there an easy way to change field separator?
> Thank you.
You can't control ordering (sets aren't ordered either). If you need to change the order, you could do that by processing the logs through bro-cut like this:
cat myfilt.log | bro-cut -f id.orig_h, id.resp_h, ts
Also, your code above should look like this…
Log::add_filter(HTTP::LOG,[$name="myfilt", $path="myfilt", $include=set("id.orig_h","id.resp_h","ts")]);
You shouldn't be redefining the stream. Keep in mind that this will still create the full http log since you aren't removing the default filter.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro