[Bro-Dev] Unique connection ID for bro <-> logging framework
Seth Hall
seth at icir.org
Fri Dec 3 20:07:57 PST 2010
On Dec 3, 2010, at 10:04 PM, Gregor Maier wrote:
> * I want to count the number of HTTP request per connection
Ah, ok. Now that you mention it, I have done searches for that before too. :)
> (e.g., notices
> have origIP:origPort -> respIP:respPort but when I want to grep for
> them in conn.log, I have to do some awk to get there)
If the logging framework proceeds in the direction that Robin and I have been outlining, most of this trouble will go away.
> I guess I have more a measurement point of view here....
Yeah, makes sense. I just wasn't understanding that before. :) Reading the things you need to do does remind me that Justin Azoff and I need to get back to the metrics framework we've been talking about. It could help you output logs with a lot of the measurement type data you are looking to get instead of having to do post-processing on the existing logs.
Getting back to your question though, it's an interesting idea but I wonder if it will still be necessary once the "normal" logging output changes. At the very least, if you output tab separated value data, you should be able to do something like this....
cat whatever.log | grep "1.2.3.4<tab>35231<tab>4.3.2.1<tab>80"
The binary log output may make that even easier too.
.Seth
More information about the bro-dev
mailing list