[Bro] Log File Modifications

Dave Crawford bro at pingtrip.com
Tue Dec 6 18:16:50 PST 2016


Thanks for the pointer Daniel! I was able to find the documentation here: https://www.bro.org/sphinx-git/scripts/base/frameworks/logging/main.bro.html#id-Log::default_field_name_map <https://www.bro.org/sphinx-git/scripts/base/frameworks/logging/main.bro.html#id-Log::default_field_name_map>

I also have this working at the filter level now as well and helps me reduce overhead on the Splunk side.

-Dave

> On Dec 6, 2016, at 8:13 PM, Daniel Thayer <dnthayer at illinois.edu> wrote:
> 
> You can do something like this:
> 
> redef Log::default_field_name_map = {
>    ["id.orig_h"] = "src",
>    ["id.orig_p"] = "src_port",
>    ["id.resp_h"] = "dst",
>    ["id.resp_p"] = "dst_port",
> };
> 
> 
> On 12/6/16 1:48 PM, Dave Crawford wrote:
>> Is it possible (via scripts vs code modifications) to rename existing columns in a log file? The logging documentation has examples for filtering out specific events, or adding additional columns, but I couldn't find a reference for renaming.
>> 
>> Thanks,
>> -Dave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161206/8f1f3b11/attachment.html 


More information about the Bro mailing list