[Bro] Adding a human-readable timestamp field.

KB kebutler at gmail.com
Fri Aug 16 04:45:39 PDT 2013


My guess is the suggestion would be to derive the human readable time from epoch time in the log already.  Unless you have your reasons of course.
See "cf" in the list on this page:
http://bro.org/community/software.html
ftp://ee.lbl.gov/cf.tar.gz

# Original epoch time in log
$ grep -v "^#" capture_loss.log  | head -n 4
1376652216.898400	900.001180	worker-4	0	328165	0.000%
1376652223.161080	900.095410	worker-5	0	340367	0.000%
1376652224.511310	900.052610	worker-7	0	372860	0.000%
1376652224.377070	900.109850	worker-9	0	294452	0.000%

# Epoch time converted to human readable time using CF
$ grep -v "^#" capture_loss.log  | head -n 4 | /usr/local/bin/cf 
Aug 16 11:23:36	900.001180	worker-4	0	328165	0.000%
Aug 16 11:23:43	900.095410	worker-5	0	340367	0.000%
Aug 16 11:23:44	900.052610	worker-7	0	372860	0.000%
Aug 16 11:23:44	900.109850	worker-9	0	294452	0.000%

-kb







On Aug 16, 2013, at 5:33 AM, 김희철 <hckim at narusec.com> wrote:

> Hello
> I try to add human-readable timestamp field to capture_loss.log and stats.log
> 
> for stats.log
> event Stats::log_http(rec: Stats::Info)
> {     ..
> 
> 
>  }
> 
> this did not work
> 
> and for the capture_loss there was no rec event to trigger.
> 
> is there another event I can use?
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130816/2bb085a2/attachment.html 


More information about the Bro mailing list