[Bro] Write logs
Azoff, Justin S
jazoff at illinois.edu
Mon Feb 12 08:11:35 PST 2018
> On Feb 12, 2018, at 11:04 AM, Rober Fernández <roberixion at gmail.com> wrote:
>
> I want to write several logs in the same connexion. The problem with logging framework is that only can filter a log;
The problem is that path_func is not for filtering, it is for splitting a single log stream into one or more different output files.
If you want to filter a log file, you need to use $pred, not $path_func.
You simply need to call Log::add_filter 3 times, once for each pred function.
—
Justin Azoff
> For example, If i had three filters with log_metadata= T, i would like to write in three differents logs
>
> filter-1.log
> filter-3.log
> filter-10.log
>
>
>
> function filter_conn(id: Log::ID, path: string, rec: Conn::Info) : string {
>
> local filters = Filter::filters;
> local file_filter = "";
>
> for (i in filters) {
>
> if (i?$log_metadata && i$log_metadata == T) {
>
> file_filter = "filter-" + cat(i$id_fil);
> break;
> }
> }
>
> return file_filter;
> }
>
>
> event bro_init() {
>
> local metadata: Log::Filter = [
> $name="metadata",
> $path="metadata",
> $include=set("ts","id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p", "proto", "service",
> "duration", "orig_bytes", "resp_bytes", "missed_bytes", "orig_pkts", "resp_pkts", "orig_file",
> "resp_file"),
> $path_func=filter_conn
> ];
>
> Log::add_filter(Conn::LOG, metadata);
>
> }
>
> With this code, I only return the first match, filter-1.log
>
> How could I do this?
>
> Thanks
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list