[Bro] Adding a human-readable timestamp field.
KB
kebutler at gmail.com
Fri Aug 16 04:45:39 PDT 2013
My guess is the suggestion would be to derive the human readable time from epoch time in the log already. Unless you have your reasons of course.
See "cf" in the list on this page:
http://bro.org/community/software.html
ftp://ee.lbl.gov/cf.tar.gz
# Original epoch time in log
$ grep -v "^#" capture_loss.log | head -n 4
1376652216.898400 900.001180 worker-4 0 328165 0.000%
1376652223.161080 900.095410 worker-5 0 340367 0.000%
1376652224.511310 900.052610 worker-7 0 372860 0.000%
1376652224.377070 900.109850 worker-9 0 294452 0.000%
# Epoch time converted to human readable time using CF
$ grep -v "^#" capture_loss.log | head -n 4 | /usr/local/bin/cf
Aug 16 11:23:36 900.001180 worker-4 0 328165 0.000%
Aug 16 11:23:43 900.095410 worker-5 0 340367 0.000%
Aug 16 11:23:44 900.052610 worker-7 0 372860 0.000%
Aug 16 11:23:44 900.109850 worker-9 0 294452 0.000%
-kb
On Aug 16, 2013, at 5:33 AM, 김희철 <hckim at narusec.com> wrote:
> Hello
> I try to add human-readable timestamp field to capture_loss.log and stats.log
>
> for stats.log
> event Stats::log_http(rec: Stats::Info)
> { ..
>
>
> }
>
> this did not work
>
> and for the capture_loss there was no rec event to trigger.
>
> is there another event I can use?
>
>
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130816/2bb085a2/attachment.html
More information about the Bro
mailing list