[Bro] Bro's software log
Mike Dopheide
dopheide at gmail.com
Tue Jan 12 11:55:45 PST 2016
Unless I'm missing what you're trying to do, bro-cut already can do this
for you:
cat software.log |bro-cut host unparsed_version
-Dop
On Tue, Jan 12, 2016 at 1:32 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> I LOVE the software log. Legit. It's awesome. I'm trying to create a
> report of sorts, with sed and awk, and for the life of me I'm having a
> tough time. Here's what I got so far:
>
> zcat software.log.gz | bro-cut -d | sed -e 's/<tab character here, ie
> ctrl-v, tab>/-/g' -e 's/\-\-\-[A-Z]\{3,5\}::/ /' -e 's/^.*0000-//'
>
> This get me kinda close, but not close enough...here's the raw entry:
>
> 2016-01-01T14:57:02+0000 x.x.x.x - HTTP::BROWSER
> Windows-Update-Agent 7 9 9600 18145 Client
> Windows-Update-Agent/7.9.9600.18145 Client-Protocol/1.21
>
> What' I'm really hoping for is this:
> x.x.x.x Windows-Update-Agent/7.9.9600.18145 Client-Protocol/1.21
>
> Just the IP address, and the last bit...the entire unparsed_version
> field. Anyone got a clever script to do something like this? Thank you.
>
> James
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160112/a4ea4e42/attachment.html
More information about the Bro
mailing list