[Bro] How to use Broccoli to pull event from Bro
Siwek, Jon
jsiwek at illinois.edu
Wed Aug 13 07:30:02 PDT 2014
On Aug 13, 2014, at 5:44 AM, fql <fengqingleiyue at 163.com> wrote:
> Now i have a question , can i use "Broccoli" to pull the event which looks like the lines in the log files [e.g "conn.log”]
On the Bro side, there is usually an event that corresponds to a given log line, e.g. the “Conn::log_conn” event [1]. On the Broccoli side, there’s a general outline of what needs to be done to receive events at [2], which you should be able to follow to receive events whose parameters correspond to the fields of log files, e.g. “Conn::log_conn” or some other event that you’ve defined yourself in order to pick a subset of the fields that are interesting to you.
- Jon
[1] http://www.bro.org/sphinx-git/scripts/base/protocols/conn/main.bro.html#id-Conn::log_conn
[2] http://www.bro.org/sphinx-git/components/broccoli/broccoli-manual.html#receiving-events
More information about the Bro
mailing list