[Bro] "bro-cut -d | grep" vs. "grep | bro-cut -d"

James Lay jlay at slave-tothe-box.net
Fri Mar 29 08:48:33 PDT 2013


On 2013-03-29 09:24, Vlad Grigorescu wrote:
> bro-cut relies on the header fields. You can use something like this:
>
>> grep -E '(^#|light)'
>
>   --Vlad
>
>
> On Mar 29, 2013, at 11:17 AM, James Lay <jlay at slave-tothe-box.net>
>  wrote:
>
>> Topic (sorta) says it.  Example:
>>
>> [08:49:21 ids:~/broarchive/03-28-2013$] zcat dns.log.gz | grep light 
>> |
>> bro-cut -d
>>
>> [08:49:25 ids:~/broarchive/03-28-2013$] zcat dns.log.gz | bro-cut -d 
>> |
>> grep light
>> 2013-03-28T20:42:09-0600        X8KFdodB5Ie     x.x.x.x    55051
>> x.x.x.x    53      udp     43494   www.lighting.com      1
>> C_INTERNET      1       A       0       NOERROR F       F       T
>> T       0       x.x.x.x    3600.000000
>> [08:49:50 ids:~/broarchive/03-28-2013$]
>>
>> I'd like to grep out the content before sending to bro-cut as it 
>> takes
>> a fraction of the time (as shown above).  I've made sure that no
>> colorization is happening.  Any hints on how I can get this to fly?
>> Thank you.
>>
>> James

Thanks Vlad that does help.  I guess I should explain my usage as well. 
I see some event, and I go right to current and:

grep x.x.x.x *

and get lot's of good information, but no timestamp.  Interestingly, 
the below works:

cat * | egrep '(^#|x.x.x.x)' | /opt/bin/bro-cut -d

but the below script and execution does not (no results)
#!/bin/bash
#cleanbro
cat * | egrep '(^#|$1)' |  /opt/bin/bro-cut -d

./cleanbro x.x.x.x

I really just want to be able to look through all logs for the current 
day (rotation every 24 hours) and for the past days..I don't really just 
choose one log, I check them all.  I had my suspicions up front that the 
timestamp was going to be an issue.  Devs, any chance you can get an 
option in for human readable timestamps IN logs?  Thanks.

James



More information about the Bro mailing list