[Bro] Bro's software log

Paul Halliday paul.halliday at gmail.com
Tue Jan 12 13:05:56 PST 2016


I actually thought you were trolling for a sec with that sed line. Is he
trying to turn this into an animated gif?

:)

On Tue, Jan 12, 2016 at 4:45 PM, James Lay <jlay at slave-tothe-box.net> wrote:

> On 2016-01-12 12:58, Azoff, Justin S wrote:
> > You're going to laugh... That's what bro-cut is for :-)
> >
> >
> >     # zcat software.log.gz | bro-cut host unparsed_version
> >
> >
> > Regular cut kind of works too, but bro-cut is faster and easier to use:
> >
> >     # zcat software.log.gz | egrep -v "^#" | cut -f 2,11
> >
> > --
> > - Justin Azoff
> >
> >> On Jan 12, 2016, at 2:32 PM, James Lay <jlay at slave-tothe-box.net>
> >> wrote:
> >>
> >> I LOVE the software log.  Legit.  It's awesome.  I'm trying to create
> >> a report of sorts, with sed and awk, and for the life of me I'm having
> >> a tough time.  Here's what I got so far:
> >>
> >> zcat software.log.gz | bro-cut -d | sed -e 's/<tab character here, ie
> >> ctrl-v, tab>/-/g' -e 's/\-\-\-[A-Z]\{3,5\}::/ /' -e 's/^.*0000-//'
> >>
> >> This get me kinda close, but not close enough...here's the raw entry:
> >>
> >> 2016-01-01T14:57:02+0000        x.x.x.x  -       HTTP::BROWSER
> >> Windows-Update-Agent    7       9       9600    18145   Client
> >> Windows-Update-Agent/7.9.9600.18145 Client-Protocol/1.21
> >>
> >> What' I'm really hoping for is this:
> >> x.x.x.x Windows-Update-Agent/7.9.9600.18145 Client-Protocol/1.21
> >>
> >> Just the IP address, and the last bit...the entire unparsed_version
> >> field.  Anyone got a clever script to do something like this?  Thank
> >> you.
> >>
> >> James
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> Oh for......yugh 8-|  Sigh....some days even the simplest of tasks are
> MIGHTY chores for me.  OH LOOKIE HERE, HERE'S bro-cut --help!
> Gagh....thanks all...I'm going to go back to pretending I have a clue.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Paul Halliday
http://www.pintumbler.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160112/5b110a41/attachment.html 


More information about the Bro mailing list