[Bro] Bro Log Filename Question

McMahon, Kevin J kmcmahon at mitre.org
Wed Apr 30 12:10:44 PDT 2014

Here’s what I did in Bro 2.1 (I haven’t tried this particular option in 2.2 yet).  It’s a little hacky, but it works and I can use different values for different instantiations:

Change the frameworks/logging/main.bro script to include a “const log_prefix = “” &redef, then change the default_path_func to include this prefix when the function returns by cat’ing the prefix with whatever was being returned (three places in 2.1).   Then you can add:

Redef Log::log_prefix = “bro.”;

in your run specific file to allow for variations.

A quick look at 2.2 seems to indicate that the same operation will work with that version.

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Jason Batchelor
Sent: Wednesday, April 30, 2014 1:49 PM
To: bro at bro.org
Subject: [Bro] Bro Log Filename Question

Hello Bro Community:

I was wondering if there was an easy way to modify log filenames that are placed into the spool directory. All I would like to to, is to simply append 'bro.' to the beginning of each filename. I searched around a bit thinking there may be a simple configuration option I could modify in the broctl.cfg file. Unfortunately however, I have not come upon any solution yet and feel like I am likely missing something obvious.

As an example, I would like the prefix to be something like 'bro.conn.log' instead of 'conn.log' for all files being written to the '/var/opt/bro/spool/bro' directory. Is there a simple way to do this using the Bro application?

Thanks very much for your time and assistance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140430/4615df15/attachment.html 

More information about the Bro mailing list