[Bro] Printing a header when a file is opened/rotated
Justin Azoff
JAzoff at uamail.albany.edu
Mon Oct 26 06:43:16 PDT 2009
Prior to using broctl I was using a setup like this:
const phish_log = open_log_file("phish") &raw_output;
event bro_init()
{
print phish_log, cat_sep("\t", "\\N", "start", "orig_h", "mailfrom", "replyto", "subject");
}
Now that I'm using broctl, it rotates the logs once a day to their new locations. My problem is that
when the file is rotated nothing re-adds the header.
I'm not sure what the best way to fix this is. I know I could disable the
rotate interval and go back to restarting bro everyday at midnight. Could
something like this work?
event rotate_interval(f: file) &priority=10
{
if (f$name == "phish.log"){
print f, cat_sep("\t", "\\N", "start", "orig_h", "mailfrom", "replyto", "subject");
}
}
I'm thinking that if there was a file_opened event then that could be used
to handle both cases.
--
-- Justin Azoff
-- Network Performance Analyst
More information about the Bro
mailing list