[Bro] adding fields to HTTP log - cluster environment
Dave Crawford
bro at pingtrip.com
Sun Mar 12 09:03:17 PDT 2017
Do you have “test_table” set as “&synchronized”?
> On Mar 12, 2017, at 8:56 AM, william de ping <bill.de.ping at gmail.com> wrote:
>
> Hi everyone,
>
> I am trying to add a new field to HTTP log.
> I want to check if orig_h is in a table, if true then add the value from that table to the record.
>
> I have a script that works in a single bro instance, but does not work in a cluster environment:
>
> @load base/protocol/http
>
> redef record HTTP::Info += {
> field: string &log &optional;
> }
>
> event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
> {
> if ( c$http$id$orig_h in test_table )
> {
> c$http$field = test_table[c$http$id$orig_h];
> }
> }
>
> I am not sure why this script works with bro in a single instance mode but not in cluster mode.
> Also, giving a higher priority to http_message_done event will override the actual event in main.bro under http ?
>
> thanks
> B
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list