[Bro] Custom Script for log field addition.

Blake Moss byublakemoss12 at gmail.com
Fri Jun 2 08:19:12 PDT 2017


Hi all,
I have a question regarding deploying custom scripts across a distributed bro cluster (manager, multiple worker nodes, etc.). I have a particular custom script which add an extra field to the “conn.log”. When I load this script in my local.bro (via @load myscript) on my manager node and use broctl to deploy this across the cluster I do not get an error. However the extra field in my “conn.log” does not appear in the /usr/local/bro/logs/current/conn.log. I did some looking around and found that the field was however being added to the /usr/local/bro/spool/bro/conn.log.  I have tried loading this script in the local-worker.bro, and local-manager.bro but have had no success. Here is my script: module 

MyScript.bro
-----------------------------
addWorker;
export
{
redef record Conn::Info += {
        worker_id: string &default="unknown" &log;
};

event connection_state_remove(c: connection)
{
         c$conn$worker_id = peer_description;
}
}

Thanks for your help!
-Blake 


Sent from Mail for Windows 10

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170602/3a6bd3a6/attachment.html 


More information about the Bro mailing list