[Bro] Bro Log Filename Question
McMahon, Kevin J
kmcmahon at mitre.org
Wed Apr 30 12:10:44 PDT 2014
Here’s what I did in Bro 2.1 (I haven’t tried this particular option in 2.2 yet). It’s a little hacky, but it works and I can use different values for different instantiations:
Change the frameworks/logging/main.bro script to include a “const log_prefix = “” &redef, then change the default_path_func to include this prefix when the function returns by cat’ing the prefix with whatever was being returned (three places in 2.1). Then you can add:
Redef Log::log_prefix = “bro.”;
in your run specific file to allow for variations.
A quick look at 2.2 seems to indicate that the same operation will work with that version.
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Jason Batchelor
Sent: Wednesday, April 30, 2014 1:49 PM
To: bro at bro.org
Subject: [Bro] Bro Log Filename Question
Hello Bro Community:
I was wondering if there was an easy way to modify log filenames that are placed into the spool directory. All I would like to to, is to simply append 'bro.' to the beginning of each filename. I searched around a bit thinking there may be a simple configuration option I could modify in the broctl.cfg file. Unfortunately however, I have not come upon any solution yet and feel like I am likely missing something obvious.
As an example, I would like the prefix to be something like 'bro.conn.log' instead of 'conn.log' for all files being written to the '/var/opt/bro/spool/bro' directory. Is there a simple way to do this using the Bro application?
Thanks very much for your time and assistance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro