[Bro] Help with searching logs

Michael Bower mbower2 at gmail.com
Tue Apr 2 19:40:41 PDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I had tried that, but it only outputs the ts field.  I need something
else in that awk statement, just don't know what.


On 4/2/13 8:43 PM, Oehlert, Samuel J wrote:
> You cut those fields out when you did your bro-cut. The id.orig_h
> and orig_bytes are both fields in the log. If you want other
> fields, you just add those to your list. E.g.: bro-cut ts id.orig_h
> orig_bytes resp_bytes < conn.log ….etc
> 
> -Sam ------- Sam Oehlert  <soehlert at illinois.edu
> <mailto:soehlert at illinois.edu>> (217) 300-1076 Security Engineer 
> National Center for Supercomputing Applications
> 
> On Apr 2, 2013, at 7:19 PM, Michael Bower <mbower2 at gmail.com 
> <mailto:mbower2 at gmail.com>> wrote:
> 
>> Signed PGP part Im still learning, so bare with me.  I ran the
>> following command:
>> 
>> bro-cut id.orig_h orig_bytes < conn.log             \ | sort
>> \ | awk '{ if (host != $1) {                      \ if (size !=
>> 0)                     \ print $1, size;                \ 
>> host=$1;                          \ size=0
>> \ } else                                \ size += $2
>> \ }                                       \ END {
>> \ if (size != 0)                      \ print $1, size
>> \ }'                                  \ | sort -rnk 2
>> \ | head -n 10
>> 
>> 
>> This worked well to show me the top 10 hosts (originators).  What
>> Im trying to do is show the top 10 hosts and the time (ts).
>> Maybe show the resp_bytes field too, if that is possible.  Any
>> help would be greatly appreciated.
>> 
>> Thanks! - --
>> 
>> Mike
>> 
>> 
>> 
>> _______________________________________________ Bro mailing list 
>> bro at bro-ids.org <mailto:bro at bro-ids.org> 
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
> 


- -- 

Mike
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJRW5apAAoJEIAKCPjZh/yXPuAH/1PataeTEIhRa3S6juEkr4m0
jmrq/YvfsvZ/Mu1bdAGXTLjihwy9KFmciRPndT1jINgkd0ixsnW2NmNqIC3zgOF9
BWYXDuq5WfedaZKORzgpj00tMv6BFrY1KSkmNeUMCLVyviahs/cdhTZKvGg6hphQ
PyhiU1Fb8Zl3LPgL5Kp/72DIS3IjoJtbRl71QkdjI8eXlnZzJNYUDtRlVMpbCo7l
b5qh68RbP/MsKVyUXxaRwm7b33AtJ3/ZRVMNM1wHKGDugTUkxKYoy5VrkEUK7PBt
gMhtf5OvcxR1QHbzqvUQ2Xpb+8qLSVPx09bJ/6hYqVPPCROXieNhUNA5uo+ros4=
=m5+H
-----END PGP SIGNATURE-----

More information about the Bro mailing list