[Bro] Adding a human-readable timestamp field.
Dani Witherspoon
punchpernickle at gmail.com
Thu Aug 8 06:10:43 PDT 2013
Thank you so much, Justin! This did the trick -- I really appreciate the
guidance!
If anybody's interested, here's the working bro-code:
@load base/protocols/http
module HTTP;
export {
redef record Info += {
## A human-readable timestamp
human_time: string &log &optional;
};
}
event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string)
{
local format: string = "%F, %H:%M";
c$http$human_time = strftime(format, c$http$ts);
}
On Wed, Aug 7, 2013 at 1:48 PM, Justin Azoff <JAzoff at albany.edu> wrote:
> On Wed, Aug 07, 2013 at 12:07:03PM -0400, Dani Witherspoon wrote:
> > event time_translate(c: connection, rec: HTTP::Info)
> > {
> > local format: string = "%F-%H-%M";
> > c$http$human_time = strftime(format, rec$ts);
> > }
> >
>
> You're right up to here.. the problem is nothing will trigger the
> time_translate event. You need to use one of the existing events that
> will fire for http connections.
>
> I would try:
>
> event HTTP::log_http(rec: HTTP::Info)
> {
> ..
> }
>
> I believe that fires just before the entry is logged, if that doesn't
> work an event like connection_established or http_request would
> definitely work.
>
> --
> -- Justin Azoff
> -- Network Security & Performance Analyst
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130808/eb64e369/attachment.html
More information about the Bro
mailing list