[Bro] Issue when adding a field to files.log
Boreham-Smith
boreham.smith at gmail.com
Sat Sep 12 14:16:01 PDT 2015
Hi Josh,
Yes - this would seem to be a sensible way to go. I'll look in to the
examples in the logging framework.
Best regards,
Boreham
On Sun, Sep 13, 2015 at 4:12 AM, Daniel Thayer <dnthayer at illinois.edu>
wrote:
> This sounds like a good idea. The "Logging Framework" document in
> the Bro Manual shows an example of how to create a new log stream
> (look at the first part of the "Streams" section):
> https://www.bro.org/sphinx/frameworks/logging.html
>
>
>
> On 09/12/2015 09:16 AM, Josh Liburdi wrote:
>
>> My suggestion is to generate a whole new log with the cuckoo_id value
>> (cuckoo.log ?). The main advantage to doing it this way is that new
>> log entries will be written whenever Cuckoo analysis finishes-- you
>> won't need to delay files.log or continue to put cuckoo_id values in
>> notice.log. Additionally, if each entry in the new log has a UID, then
>> that's a very Brogrammatic way to correlate the cuckoo_id value to
>> entries in files.log.
>>
>> Josh
>>
>> On Sat, Sep 12, 2015 at 2:38 AM, Boreham-Smith <boreham.smith at gmail.com>
>> wrote:
>>
>>> Thanks Daniel,
>>>
>>> What you suggest makes sense and explains the behaviour I observed. I
>>> guess
>>> this leads me to the next thought - is there a way to delay the file
>>> getting
>>> written out, or an alternate File event that could be used to achive the
>>> outcome I am looking for?
>>>
>>> I am happy pulling the data form the notice logs I am generating, but it
>>> seemed tidy to have this information in the file.log too if possible.
>>>
>>> regards,
>>> Boreham
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150913/ba14c71b/attachment.html
More information about the Bro
mailing list