[Bro] "bro-cut -d | grep" vs. "grep | bro-cut -d"

Jesse Bowling jessebowling at gmail.com
Fri Mar 29 09:44:05 PDT 2013 

I've also dropped this in an executable script and piped my output to it
(naturally it assumes the timestamp is the first field):

#!/bin/gawk
{
val=strftime("%Y-%m-%dT%H:%M:%S%z", $1, 0)
$1=val
print $0
}


Cheers,

Jesse

On Fri, Mar 29, 2013 at 11:48 AM, James Lay <jlay at slave-tothe-box.net>wrote:

> On 2013-03-29 09:24, Vlad Grigorescu wrote:
> > bro-cut relies on the header fields. You can use something like this:
> >
> >> grep -E '(^#|light)'
> >
> >   --Vlad
> >
> >
> > On Mar 29, 2013, at 11:17 AM, James Lay <jlay at slave-tothe-box.net>
> >  wrote:
> >
> >> Topic (sorta) says it.  Example:
> >>
> >> [08:49:21 ids:~/broarchive/03-28-2013$] zcat dns.log.gz | grep light
> >> |
> >> bro-cut -d
> >>
> >> [08:49:25 ids:~/broarchive/03-28-2013$] zcat dns.log.gz | bro-cut -d
> >> |
> >> grep light
> >> 2013-03-28T20:42:09-0600        X8KFdodB5Ie     x.x.x.x    55051
> >> x.x.x.x    53      udp     43494   www.lighting.com      1
> >> C_INTERNET      1       A       0       NOERROR F       F       T
> >> T       0       x.x.x.x    3600.000000
> >> [08:49:50 ids:~/broarchive/03-28-2013$]
> >>
> >> I'd like to grep out the content before sending to bro-cut as it
> >> takes
> >> a fraction of the time (as shown above).  I've made sure that no
> >> colorization is happening.  Any hints on how I can get this to fly?
> >> Thank you.
> >>
> >> James
>
> Thanks Vlad that does help.  I guess I should explain my usage as well.
> I see some event, and I go right to current and:
>
> grep x.x.x.x *
>
> and get lot's of good information, but no timestamp.  Interestingly,
> the below works:
>
> cat * | egrep '(^#|x.x.x.x)' | /opt/bin/bro-cut -d
>
> but the below script and execution does not (no results)
> #!/bin/bash
> #cleanbro
> cat * | egrep '(^#|$1)' |  /opt/bin/bro-cut -d
>
> ./cleanbro x.x.x.x
>
> I really just want to be able to look through all logs for the current
> day (rotation every 24 hours) and for the past days..I don't really just
> choose one log, I check them all.  I had my suspicions up front that the
> timestamp was going to be an issue.  Devs, any chance you can get an
> option in for human readable timestamps IN logs?  Thanks.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130329/5c88ca25/attachment.html

More information about the Bro mailing list