[Bro] Bro's software log

Tue Jan 12 12:45:38 PST 2016

On 2016-01-12 12:58, Azoff, Justin S wrote:
> You're going to laugh... That's what bro-cut is for :-)
> 
> 
>     # zcat software.log.gz | bro-cut host unparsed_version
> 
> 
> Regular cut kind of works too, but bro-cut is faster and easier to use:
> 
>     # zcat software.log.gz | egrep -v "^#" | cut -f 2,11
> 
> --
> - Justin Azoff
> 
>> On Jan 12, 2016, at 2:32 PM, James Lay <jlay at slave-tothe-box.net> 
>> wrote:
>> 
>> I LOVE the software log.  Legit.  It's awesome.  I'm trying to create 
>> a report of sorts, with sed and awk, and for the life of me I'm having 
>> a tough time.  Here's what I got so far:
>> 
>> zcat software.log.gz | bro-cut -d | sed -e 's/<tab character here, ie 
>> ctrl-v, tab>/-/g' -e 's/\-\-\-[A-Z]\{3,5\}::/ /' -e 's/^.*0000-//'
>> 
>> This get me kinda close, but not close enough...here's the raw entry:
>> 
>> 2016-01-01T14:57:02+0000        x.x.x.x  -       HTTP::BROWSER   
>> Windows-Update-Agent    7       9       9600    18145   Client  
>> Windows-Update-Agent/7.9.9600.18145 Client-Protocol/1.21
>> 
>> What' I'm really hoping for is this:
>> x.x.x.x Windows-Update-Agent/7.9.9600.18145 Client-Protocol/1.21
>> 
>> Just the IP address, and the last bit...the entire unparsed_version 
>> field.  Anyone got a clever script to do something like this?  Thank 
>> you.
>> 
>> James
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Oh for......yugh 8-|  Sigh....some days even the simplest of tasks are 
MIGHTY chores for me.  OH LOOKIE HERE, HERE'S bro-cut --help!  
Gagh....thanks all...I'm going to go back to pretending I have a clue.

James