[Bro] Format of log file

Jean-Philippe Luiggi jp.luiggi at free.fr
Mon Jul 30 10:34:46 PDT 2007


Hello,


On Mon, Jul 30, 2007 at 09:16:06AM -0700, Robin Sommer wrote:
> 
> On Fri, Jul 27, 2007 at 16:52 -0400, Jean-Philippe Luiggi wrote:
> 
> > Just a simple question, why do we've some files which start with 
> > t=<epoch_time> ("alarm/notice") and others with just <epoch_time>
> > ("arp/conn") ?
> 
> I think the notice/alarm files are the only ones starting with "t="
> but they only do that if you use use_tagging=T. We added this tagged
> format to make these files more easily parseable (and also readable
> IMHO) though you're right that this is inconsistent with other logs.
> However, each log file looks pretty much different anyway and so I
> would think that you always need some file-specific parsing logic.

  Yes i agree with you, i'm sure i'll allways have some specific parsing logic to
  manage. :-)
  If you agree with the fact to use tagging as the rules of choice, we may 
  made a jump on this and develop it for the others files ?
  
  Best regards,
  
  Jean-philippe.
  
  



More information about the Bro mailing list