[Bro-Dev] #558: /topic/gilbert/ascii-header
Bro Tracker
bro at tracker.bro-ids.org
Sun Aug 14 21:33:04 PDT 2011
#558: /topic/gilbert/ascii-header
----------------------------+----------------------
Reporter: gclark | Owner: robin
Type: Merge Request | Status: assigned
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version:
Resolution: | Keywords: logging
----------------------------+----------------------
Comment (by gclark):
> - I'd prefer the line with the types to have just those, i.e., `time`
instread of `ts=time`. That makes it easier to parse in like awk, and the
relationship to the field name is already there via the column.
All right.
> - What's the use case for including the path?
This allows log processors to recognize log files that have been renamed
to formats other than simple 'conn.log' or 'ftp.log' without having to
wield complex file name regex voodoo.
> - I'm wondering whether we should make it easy to tell what kind of
meta-line it is. How about this format:
> {{{
> #fields ts uid id.orig_h id.orig_p ...
> #types time string addr port ...
> #separator \t
> #path conn
> }}}
I think separator needs to come first, as it's used while parsing the
other header fields. I also think we need to be careful to ensure the
separator line itself uses a constant separator (a space?), or the line
won't be very useful :)
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/558#comment:2>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list