[Zeek-Dev] Bro 2.5.4

Aashish Sharma asharma at lbl.gov
Mon Apr 1 10:15:31 PDT 2019 

What Seth suggest is a better way to do this. 

I also do one more thing - when logs rotate overnight  - we add the hostname to
the log file names too. 

So our logs from different bro instances are named like:

conn.log.cluster-1-mgr.2019-03-29-00:00:00-00:00:00.gz
conn.log.wireless-bro.2019-03-29-00:00:00-00:00:00.gz

etc.

How we do this: 

Basically in broctl.cfg I've added:

# change log naming
MakeArchiveName = /usr/local/bro/common/scripts/makelocal-archivename-2.1

and here is the makelocal-archivename-2.1 


$ cat makelocal-archivename-2.1
#! /usr/bin/env bash
#
# $Id: makelocal-archivename-2.1 572 2014-10-11 19:18:11Z aashish $
#
# Returns a path for archived log files. This script is called
# once for each log file being archived. Usage is:
#
# make-archive-name <basename> <timestamp-when-opened> <timestamp-when-closed>
#
# basename: The base file name of the log file being archived (e.g., conn.log).
# timestamp-when-opened: The timestamp when the log file being archived was created.
# timestamp-when-closed: The timestamp when the log file being archived was finished.
#
# Times are given in the form "year-month-day-hour-minute-second",
# e.g., "2010-03-30-13-12-04"
#
# The script must return the path under which the file should be
# archived. If it's a relative path, it will be interpreted as
# relative to BroControl's standard log directory.
#
# Note that even though the logs will later be compressed, this
# script should return the filename without any .gz extension; that
# extension will be appended later.

echo $@ >> /var/tmp/make-archive-name-2.1.out

name=$1
flavor=$2
opened=$3
closed=$4
host=`hostname -s`

day=`echo $opened  | awk -F - '{printf "%s-%s-%s", $1, $2, $3}'`
from=`echo $opened | awk -F - '{printf "%s:%s:%s", $4, $5, $6}'`
to=`echo $closed | awk -F - '{printf "%s:%s:%s", $4, $5, $6}'`

if [ "$closed" != "" ]; then
   echo $day/$name.$host.$day-$from-$to
else
   echo $day/$name.$host.$day-$from-current
fi



On Thu, Jan 24, 2019 at 01:10:50PM -0500, Seth Hall wrote:
> 
> 
> On 3 Jan 2019, at 11:01, Rajput, Jawad (CONTR) wrote:
> 
> > Is there a way to add Bro server hostname field into all the Bro log
> > types? We have 5 Bro servers capturing traffic on different network
> > nodes, we are trying to add each server/sensor hostname into all the log
> > types so analyst can identify where the logs are coming from.
> 
> Yes!
> 
> We added a log extension mecahnism a while ago.  Here's a snippet you could
> start from...
> 
> ```bro
> option my_server_name = "";
> 
> type MyLogExtension: record {
>         server_name:   string &log;
> };
> 
> function add_my_log_extension(path: string): MyLogExtension
>         {
>         return MyLogExtension($server_name = my_server_name);
>         }
> 
> 
> redef Log::default_ext_func = add_my_log_extension;
> ```
> 
>   .Seth
> 
> --
> Seth Hall * Corelight, Inc * www.corelight.com


> _______________________________________________
> zeek-dev mailing list
> zeek-dev at zeek.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev

More information about the zeek-dev mailing list