[Bro] Custom log file

Beyaz Şapka siberkartal at gmail.com
Mon Jan 2 11:58:30 PST 2017

Hi all,

I want to generate custom log files.
For example, the columns of one log file should be like the following.

Those fields are found in files.log and http.log.
To get those values I need connection, fa_file and fa_metadata records.
More precisely,
I need connection for resp_h and resp_p through conn_id record (c$id$resp_h
and c$id$resp_p).
I need connection for ts, uid, trans_depth, method, status_code,
response_body_len, host, uri, referrer, _flash_version through HTTP::Info
I need connection for geo location through lookup_location(resp_h).
I need fa_metadata for mime_type, since I extract only particular mime
types and also I build the filename that is going to be extracted.
I need fa_file for fuid, source, filename, md5, sha1, and extracted through
Files::Info record.

connection and fa_file records are accessible in event
However, at this phase md5, sha1, extracted, and response_body_len values
are not present.

For this reason, I used HTTP::log_http and Files::log_files events.
I can get all values from that events except resp_h and resp_p.
I use file_over_new_connection for that since I also extract geo location
from here.
But in this case, due to the nature for network traffic that is not
synchronic, resp_h and geo location values in my custom log file is
How do you do that?

I read related parts of the documentation and source codes of the bro and
alse reviewed the Bro archive for last one year.
I keep the post short in order not to be wordy for now.
I can send my script also.

Any help is quite appriciated,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170102/4d796e13/attachment.html 

More information about the Bro mailing list