[Bro] quick question
Castle, Shane
scastle at bouldercounty.org
Tue Apr 30 13:37:31 PDT 2013
The Bro documentation area is strangely lacking in some respects. The command you are looking for is bro-cut, a powerful little script that can display a human-readable timestamp and also display only the fields of the log files that you are interested in, and rearrange them if you want. The main thing to remember is that it's a classic stdin->stdout command and does not operate on the filename:
"bro-cut -d ts id.orig_h id.resp_h orig_bytes resp_bytes id.resp_p <conn.log" for example.
Or, after the archiving has been done:
ls -1 2013-03-27/conn.*gz | while read fn;do (export TZ=MST7MDT;zcat $fn | bro-cut -d );done | fgrep 192.168.131.135 | less
This would be if, for instance, your system's clock was running in UTC (which mine is).
--
Shane Castle
Data Security Mgr, Boulder County IT
-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Allen, Brian
Sent: Tuesday, April 30, 2013 14:02
To: bro at bro.org
Subject: [Bro] quick question
Hi, I installed Bro here and I can already tell it is extremely useful. I'm just learning how to use it so I have lots of questions. Here are a couple quick ones:
When parsing through the bro log files, how do I turn the timestamp column into something human readable? Where would I go to find this answer on my own? Is there a newbie guide to bro I should be reading? I don't see how to search this mailing list's archives.
Thanks,
-Brian
Brian Allen
Network Security Analyst
Washington University
More information about the Bro
mailing list