[Bro] Issue when adding a field to files.log
boreham.smith at gmail.com
Sat Sep 12 14:16:01 PDT 2015
Yes - this would seem to be a sensible way to go. I'll look in to the
examples in the logging framework.
On Sun, Sep 13, 2015 at 4:12 AM, Daniel Thayer <dnthayer at illinois.edu>
> This sounds like a good idea. The "Logging Framework" document in
> the Bro Manual shows an example of how to create a new log stream
> (look at the first part of the "Streams" section):
> On 09/12/2015 09:16 AM, Josh Liburdi wrote:
>> My suggestion is to generate a whole new log with the cuckoo_id value
>> (cuckoo.log ?). The main advantage to doing it this way is that new
>> log entries will be written whenever Cuckoo analysis finishes-- you
>> won't need to delay files.log or continue to put cuckoo_id values in
>> notice.log. Additionally, if each entry in the new log has a UID, then
>> that's a very Brogrammatic way to correlate the cuckoo_id value to
>> entries in files.log.
>> On Sat, Sep 12, 2015 at 2:38 AM, Boreham-Smith <boreham.smith at gmail.com>
>>> Thanks Daniel,
>>> What you suggest makes sense and explains the behaviour I observed. I
>>> this leads me to the next thought - is there a way to delay the file
>>> written out, or an alternate File event that could be used to achive the
>>> outcome I am looking for?
>>> I am happy pulling the data form the notice logs I am generating, but it
>>> seemed tidy to have this information in the file.log too if possible.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro