[Bro] Adding a human-readable timestamp field.

Justin Azoff JAzoff at albany.edu
Wed Aug 7 10:48:34 PDT 2013


On Wed, Aug 07, 2013 at 12:07:03PM -0400, Dani Witherspoon wrote:
> event time_translate(c: connection, rec: HTTP::Info)
>         {
>     local format: string = "%F-%H-%M";
>         c$http$human_time = strftime(format, rec$ts);
>         }
> 

You're right up to here.. the problem is nothing will trigger the
time_translate event.  You need to use one of the existing events that
will fire for http connections.

I would try:

event HTTP::log_http(rec: HTTP::Info)
{
    ..
}

I believe that fires just before the entry is logged, if that doesn't
work an event like connection_established or http_request would
definitely work.

-- 
-- Justin Azoff
-- Network Security & Performance Analyst



More information about the Bro mailing list