[Bro] http.log reorder and skip fields, how?
Seth Hall
seth at icir.org
Fri Apr 13 11:24:12 PDT 2012
On Apr 13, 2012, at 1:25 PM, Dalton Porter wrote:
> Hello All. It appears that the data in http.log is a listing of the Info fields which have the &log attribute. I can see how to add fields by redefining record Info using the += syntax. However, I want to customize the output by removing some fields and reordering others. What is the proper way to do this? Can the field separator be adjusted? I don't want to actually "remove" fields, I just don't want some of them displayed. I also didn't want to parse the bro output with a shell script to reformat it, I would like to have bro write the data out the way that I need it.
Read this blog post:
http://blog.bro-ids.org/2012/02/filtering-logs-with-bro.html
And this documentation:
http://www.bro-ids.org/documentation/logging.html#filtering
If you still have questions I'd be glad to answer. I do agree that we are missing the ability to modify flags on record fields though. I haven't been able to think of a good syntax for that though.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list