[Bro] Printing a header when a file is opened/rotated
Robin Sommer
robin at icir.org
Mon Oct 26 14:58:32 PDT 2009
On Mon, Oct 26, 2009 at 09:43 -0400, you wrote:
> event rotate_interval(f: file) &priority=10
> {
> if (f$name == "phish.log"){
> print f, cat_sep("\t", "\\N", "start", "orig_h", "mailfrom", "replyto", "subject");
> }
> }
Nice thought! It's kind of a hack but I think that could indeed
work, except that instead of f$name you need to use the builtin
function get_file_name(). I'm wondering if there's a race condition
lurking somewhere here but I'm thinking it should be ok ...
Another approach would be writing a shell wrapper around broctl's
log archival script. BroControl sets the following:
redef RotateLogs::default_postprocessor = "archive-log";
You could redef that to your own script, which first prepends the
header to the rotated file (needs a bit of copying the data around
unfortunately) and then continues by calling archive-log.
However, I think the right way of solving your problem is indeed
this:
> I'm thinking that if there was a file_opened event then that could be used
> to handle both cases.
I like that. Please file a feature request with our tracker.
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list