[Bro] Issue when adding a field to files.log
Daniel Thayer
dnthayer at illinois.edu
Sat Sep 12 11:12:26 PDT 2015
This sounds like a good idea. The "Logging Framework" document in
the Bro Manual shows an example of how to create a new log stream
(look at the first part of the "Streams" section):
https://www.bro.org/sphinx/frameworks/logging.html
On 09/12/2015 09:16 AM, Josh Liburdi wrote:
> My suggestion is to generate a whole new log with the cuckoo_id value
> (cuckoo.log ?). The main advantage to doing it this way is that new
> log entries will be written whenever Cuckoo analysis finishes-- you
> won't need to delay files.log or continue to put cuckoo_id values in
> notice.log. Additionally, if each entry in the new log has a UID, then
> that's a very Brogrammatic way to correlate the cuckoo_id value to
> entries in files.log.
>
> Josh
>
> On Sat, Sep 12, 2015 at 2:38 AM, Boreham-Smith <boreham.smith at gmail.com> wrote:
>> Thanks Daniel,
>>
>> What you suggest makes sense and explains the behaviour I observed. I guess
>> this leads me to the next thought - is there a way to delay the file getting
>> written out, or an alternate File event that could be used to achive the
>> outcome I am looking for?
>>
>> I am happy pulling the data form the notice logs I am generating, but it
>> seemed tidy to have this information in the file.log too if possible.
>>
>> regards,
>> Boreham
More information about the Bro
mailing list