[Bro] Bro 2.0 Beta is out!
Matthias Vallentin
vallentin at icir.org
Fri Oct 28 21:50:40 PDT 2011
> The new log formats are a lot easier to read.
Don't forget to check out the new log processing tool bro-cut in the aux
directory:
bro-cut [options] <columns>
Extracts the given columns from an ASCII Bro log on standard input. By
default, bro-cut does not include format header blocks into the output.
Example: cat conn.log | bro-cut -d ts id.orig_h id.orig_p
-c Include the first format header block into the output.
-C Include all format header blocks into the output.
-d Convert time values into human-readable format (needs gawk).
-D <fmt> Like -d, but specify format for time (see strtime(3) for syntax).
For the time conversion, the format string can also be specified by setting
an environment variable BRO_CUT_TIMEFMT.
Here are some more examples (output abbreviated):
% bro-cut ts id.orig_h id.resp_p < conn.log
1319742168.465601 192.150.187.147 80
1319742167.737945 192.150.187.147 80
% bro-cut host uri < http.log | awk '{ print $1$2 }'
s0.2mdn.net/879366/flashwrite_1_2.js
maps.google.com/mapfiles/home3.html
% bro-cut -d ts < conn.log
2011-10-27T12:02:48-0700
% bro-cut -D '%s' ts orig_bytes resp_bytes \
< conn.log \
| sort -n \
| awk '{ if ($1 == ts) { size+=$2+$3 } \
else { if (size != 0) print $1, size; \
ts=$1; size=0 } }'
1319742168 33628
1319742169 22814
Enjoy,
Matthias
More information about the Bro
mailing list