[Bro] Converting a Bro Script to A New Stream
seth at icir.org
Mon Aug 27 22:41:10 PDT 2012
On Aug 28, 2012, at 12:14 AM, Mike Sconzo <sconzo at visiblerisk.com> wrote:
> I've got a general question around this idea. When is it best to
> create a log filter vs. creating a log file with just the information
> you want in it vs. adding an additional field to a existing log?
In this case, the log being created was a strict subset of the existing log. I definitely wouldn't bother creating a completely new log just to restrict the output columns since we have that supported as a feature of the logging framework.
I guess in most cases where you are just going to end up outputting all of the same fields from an existing log I wouldn't bother creating a new log stream. There are some cases where it just comes down to a style decision if you are adding extra fields but you are also including several fields from an existing log whether or not you create a new log stream.
A good rule of thumb is if your first thought is to handle a log stream event (i.e. DNS::log_dns, HTTP::log_http, etc) to fill out your log file, you should probably use a filter.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro