[Bro] rename field on a per analyzer basis
Seth Hall
seth at corelight.com
Thu Aug 23 07:52:33 PDT 2018
field_name_map is a Log::Filter option. You can apply those tables per
filter so you can do something like this...
```bro
event bro_init()
{
local f = Log::get_filter(Conn::LOG, "default");
f$field_name_map = table(["service"] = "blarg");
Log::add_filter(Conn::LOG, f);
}
```
On 16 Aug 2018, at 8:16, erik clark wrote:
> How can I rename a field based on the analyzer? For example:
>
> smtp.log:path -> smtp.log->smtp_path
> smb_files.log:path -> smb_files.log:smb_path
>
> Currently I am using default map, but this does it for all analyzers:
>
> redef Log::default_field_name_map = { ["path"] =
> "smb_path",
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180823/9dfbd83f/attachment.html
More information about the Bro
mailing list