[Bro] "bro-cut -d | grep" vs. "grep | bro-cut -d"
James Lay
jlay at slave-tothe-box.net
Fri Mar 29 08:48:33 PDT 2013
On 2013-03-29 09:24, Vlad Grigorescu wrote:
> bro-cut relies on the header fields. You can use something like this:
>
>> grep -E '(^#|light)'
>
> --Vlad
>
>
> On Mar 29, 2013, at 11:17 AM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>> Topic (sorta) says it. Example:
>>
>> [08:49:21 ids:~/broarchive/03-28-2013$] zcat dns.log.gz | grep light
>> |
>> bro-cut -d
>>
>> [08:49:25 ids:~/broarchive/03-28-2013$] zcat dns.log.gz | bro-cut -d
>> |
>> grep light
>> 2013-03-28T20:42:09-0600 X8KFdodB5Ie x.x.x.x 55051
>> x.x.x.x 53 udp 43494 www.lighting.com 1
>> C_INTERNET 1 A 0 NOERROR F F T
>> T 0 x.x.x.x 3600.000000
>> [08:49:50 ids:~/broarchive/03-28-2013$]
>>
>> I'd like to grep out the content before sending to bro-cut as it
>> takes
>> a fraction of the time (as shown above). I've made sure that no
>> colorization is happening. Any hints on how I can get this to fly?
>> Thank you.
>>
>> James
Thanks Vlad that does help. I guess I should explain my usage as well.
I see some event, and I go right to current and:
grep x.x.x.x *
and get lot's of good information, but no timestamp. Interestingly,
the below works:
cat * | egrep '(^#|x.x.x.x)' | /opt/bin/bro-cut -d
but the below script and execution does not (no results)
#!/bin/bash
#cleanbro
cat * | egrep '(^#|$1)' | /opt/bin/bro-cut -d
./cleanbro x.x.x.x
I really just want to be able to look through all logs for the current
day (rotation every 24 hours) and for the past days..I don't really just
choose one log, I check them all. I had my suspicions up front that the
timestamp was going to be an issue. Devs, any chance you can get an
option in for human readable timestamps IN logs? Thanks.
James
More information about the Bro
mailing list