[Bro] Printing a header when a file is opened/rotated

Robin Sommer robin at icir.org
Mon Oct 26 14:58:32 PDT 2009


On Mon, Oct 26, 2009 at 09:43 -0400, you wrote:

> event rotate_interval(f: file) &priority=10
> {
>     if (f$name == "phish.log"){
>         print f, cat_sep("\t", "\\N", "start", "orig_h", "mailfrom", "replyto", "subject");
>     }
> }

Nice thought! It's kind of a hack but I think that could indeed
work, except that instead of f$name you need to use the builtin
function get_file_name(). I'm wondering if there's a race condition
lurking somewhere here but I'm thinking it should be ok ...

Another approach would be writing a shell wrapper around broctl's
log archival script. BroControl sets the following:

    redef RotateLogs::default_postprocessor = "archive-log";
    
You could redef that to your own script, which first prepends the
header to the rotated file (needs a bit of copying the data around
unfortunately) and then continues by calling archive-log. 

However, I think the right way of solving your problem is indeed
this:

> I'm thinking that if there was a file_opened event then that could be used
> to handle both cases.

I like that. Please file a feature request with our tracker. 

Robin

-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list