[Bro] Bro's software log
Azoff, Justin S
jazoff at illinois.edu
Tue Jan 12 11:58:21 PST 2016
You're going to laugh... That's what bro-cut is for :-)
# zcat software.log.gz | bro-cut host unparsed_version
Regular cut kind of works too, but bro-cut is faster and easier to use:
# zcat software.log.gz | egrep -v "^#" | cut -f 2,11
--
- Justin Azoff
> On Jan 12, 2016, at 2:32 PM, James Lay <jlay at slave-tothe-box.net> wrote:
>
> I LOVE the software log. Legit. It's awesome. I'm trying to create a report of sorts, with sed and awk, and for the life of me I'm having a tough time. Here's what I got so far:
>
> zcat software.log.gz | bro-cut -d | sed -e 's/<tab character here, ie ctrl-v, tab>/-/g' -e 's/\-\-\-[A-Z]\{3,5\}::/ /' -e 's/^.*0000-//'
>
> This get me kinda close, but not close enough...here's the raw entry:
>
> 2016-01-01T14:57:02+0000 x.x.x.x - HTTP::BROWSER Windows-Update-Agent 7 9 9600 18145 Client Windows-Update-Agent/7.9.9600.18145 Client-Protocol/1.21
>
> What' I'm really hoping for is this:
> x.x.x.x Windows-Update-Agent/7.9.9600.18145 Client-Protocol/1.21
>
> Just the IP address, and the last bit...the entire unparsed_version field. Anyone got a clever script to do something like this? Thank you.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list