[Bro] Implementing MAC Address Label in Logs

Jim Mellander jmellander at lbl.gov
Tue Jul 10 08:42:35 PDT 2018


mac-logging.bro isn't loaded by default, so you need to add:

@load policy/protocols/conn/mac-logging

to local.bro


PS - You can look in the loaded-scripts log file to see exactly which bro
policies are actually being loaded in your installation.


Hope this helps,

Jim


On Tue, Jul 10, 2018 at 6:17 AM, Alex Todorovic <atodorovic at zyston.com>
wrote:

> Hi,
>
>
>
> I’m working on a project to monitor network traffic and I want to split up
> my logs based on the user. I’ve been using IP addresses for this, but since
> our network runs DHCP this requires costly computation to get the MAC
> address associated with the IP address.  I did some research and found that
> mac-logging.bro should do this for me, however my conn.log file doesn’t
> include a mac field despite the existence of mac-logging.bro in
> /usr/local/bro/share/bro/base/protocols/conn. I also copied
> mac-logging.bro to /usr/local/bro/share/bro/policy/protocols/conn just to
> be sure, but still nothing. I rebooted my machine and still nothing. FYI
> I’m on a security onion distribution of ubuntu 16.04.
>
>
>
> What do I need to do in order to implement this feature? Thanks in advance!
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180710/b8027e7a/attachment-0001.html 


More information about the Bro mailing list