[Bro] adding fields to HTTP log - cluster environment
william de ping
bill.de.ping at gmail.com
Mon Mar 13 07:00:37 PDT 2017
Hi,
my mistake, another script ran and removed the default fields on HTTP :)
Thanks anyways
B
On Sun, Mar 12, 2017 at 6:03 PM, Dave Crawford <bro at pingtrip.com> wrote:
> Do you have “test_table” set as “&synchronized”?
>
> > On Mar 12, 2017, at 8:56 AM, william de ping <bill.de.ping at gmail.com>
> wrote:
> >
> > Hi everyone,
> >
> > I am trying to add a new field to HTTP log.
> > I want to check if orig_h is in a table, if true then add the value from
> that table to the record.
> >
> > I have a script that works in a single bro instance, but does not work
> in a cluster environment:
> >
> > @load base/protocol/http
> >
> > redef record HTTP::Info += {
> > field: string &log &optional;
> > }
> >
> > event http_message_done(c: connection, is_orig: bool, stat:
> http_message_stat)
> > {
> > if ( c$http$id$orig_h in test_table )
> > {
> > c$http$field = test_table[c$http$id$orig_h];
> > }
> > }
> >
> > I am not sure why this script works with bro in a single instance mode
> but not in cluster mode.
> > Also, giving a higher priority to http_message_done event will override
> the actual event in main.bro under http ?
> >
> > thanks
> > B
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170313/1f3ba18a/attachment.html
More information about the Bro
mailing list