[Bro] Adding a human-readable timestamp field.
Harrison Wood
harrison.wood at gmail.com
Thu Aug 8 09:09:56 PDT 2013
Thanks for posting your script! I just added it to my install so I can stop
doing date -d@ all the time.
On Thu, Aug 8, 2013 at 8:10 AM, Dani Witherspoon
<punchpernickle at gmail.com>wrote:
> Thank you so much, Justin! This did the trick -- I really appreciate the
> guidance!
>
> If anybody's interested, here's the working bro-code:
>
>
> @load base/protocols/http
>
> module HTTP;
>
> export {
> redef record Info += {
> ## A human-readable timestamp
> human_time: string &log &optional;
> };
> }
>
> event http_request(c: connection, method: string, original_URI: string,
> unescaped_URI: string, version: string)
> {
> local format: string = "%F, %H:%M";
> c$http$human_time = strftime(format, c$http$ts);
> }
>
>
>
>
>
>
>
> On Wed, Aug 7, 2013 at 1:48 PM, Justin Azoff <JAzoff at albany.edu> wrote:
>
>> On Wed, Aug 07, 2013 at 12:07:03PM -0400, Dani Witherspoon wrote:
>> > event time_translate(c: connection, rec: HTTP::Info)
>> > {
>> > local format: string = "%F-%H-%M";
>> > c$http$human_time = strftime(format, rec$ts);
>> > }
>> >
>>
>> You're right up to here.. the problem is nothing will trigger the
>> time_translate event. You need to use one of the existing events that
>> will fire for http connections.
>>
>> I would try:
>>
>> event HTTP::log_http(rec: HTTP::Info)
>> {
>> ..
>> }
>>
>> I believe that fires just before the entry is logged, if that doesn't
>> work an event like connection_established or http_request would
>> definitely work.
>>
>> --
>> -- Justin Azoff
>> -- Network Security & Performance Analyst
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130808/a3bf38af/attachment.html
More information about the Bro
mailing list