[Bro] Custom Script for log field addition.

[Azoff, Justin S]

> On Jun 2, 2017, at 11:19 AM, Blake Moss <byublakemoss12 at gmail.com> wrote:
> 
> Hi all,
> I have a question regarding deploying custom scripts across a distributed bro cluster (manager, multiple worker nodes, etc.). I have a particular custom script which add an extra field to the “conn.log”. When I load this script in my local.bro (via @load myscript) on my manager node and use broctl to deploy this across the cluster I do not get an error. However the extra field in my “conn.log” does not appear in the /usr/local/bro/logs/current/conn.log. I did some looking around and found that the field was however being added to the /usr/local/bro/spool/bro/conn.log.  I have tried loading this script in the local-worker.bro, and local-manager.bro but have had no success. Here is my script: module 
>  
> MyScript.bro
> -----------------------------
> addWorker;
> export
> {
> redef record Conn::Info += {
>         worker_id: string &default="unknown" &log;
> };
>  
> event connection_state_remove(c: connection)
> {
>          c$conn$worker_id = peer_description;
> }
> }
>  

Looks like my script :-)

/usr/local/bro/logs/current/conn.log and /usr/local/bro/spool/bro/conn.log should be the same file

/usr/local/bro/logs/current should be a symlink to /usr/local/bro/spool/bro

However, on a cluster the log files should really be under spool/manager or spool/logger, unless you have something like this in node.cfg

[bro]
type=manager
host=..

instead of

[manager]
type=manager
host=..

In any case, you should never add things to local-worker.bro or local-manager.bro.


-- 
- Justin Azoff