[Bro] http.log reorder and skip fields, how?

Seth Hall seth at icir.org
Fri Apr 13 14:04:20 PDT 2012

On Apr 13, 2012, at 3:53 PM, Dalton Porter wrote:

> Seth, thanks for the info. I tried this:
> event bro_init() &priority=5
>  {
>  Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
>  local filter: Log::Filter = [$name="myfilt", $path="myfilt", $include=set("id.orig_h","id.resp_h","ts")];
>  Log::add_filter(HTTP::LOG,filter);
>  }
> But in the output file, the fields are ordered ts,orig,resp.  Can I control the ordering?
> Is there an easy way to change field separator?
> Thank you.

You can't control ordering (sets aren't ordered either).  If you need to change the order, you could do that by processing the logs through bro-cut like this:

	cat myfilt.log | bro-cut -f id.orig_h, id.resp_h, ts

Also, your code above should look like this…

event bro_init()
	Log::add_filter(HTTP::LOG,[$name="myfilt", $path="myfilt", $include=set("id.orig_h","id.resp_h","ts")]);

You shouldn't be redefining the stream.  Keep in mind that this will still create the full http log since you aren't removing the default filter.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list