[Bro] Overwriting logs
Johanna Amann
johanna at icir.org
Fri Jun 29 09:14:04 PDT 2018
Hi,
traditionally we recommended that you just run Bro in a different
directory each time. Which is typically easily scriptable - just create a
small bash script that changes the directory before running Bro for each
pcap.
There actually is a reason that we don't (currently) support appending to
Logs. The reason is that we cannot guarantee that the columns do not
change inbetween runs - in theory you can change your scripts between Bro
runs to add/remove/change a column.
This will mess up nearly anything that parses Bro logs - even though a new
#fields header would be added, most software only looks at the first one
in the file.
Johanna
On Wed, Jun 27, 2018 at 10:52:24AM +0800, Bowen Li wrote:
> Hi John,
> I think bro just truncate the log file, maybe you can do something in
> Ascii::DoInit function in file /logging/writers/ascii/Ascii.cc to get what
> you need.
> Hope this will help you.
>
> Bowen Li
>
>
> john Y <yjohn9691 at gmail.com> 于2018年6月27日周三 上午4:21写道:
>
> > Hello all!
> > Need advice about a problem i have:
> >
> > I am initiating many bro command on dynamically incoming pcaps, such as:
> > "bro -r some_file_name".
> >
> > On every run, logs are created in the same directory, but the next run
> > rewrite those logs. How can bro create logs with uniqe log name foreach run?
> >
> > Also tried to add timestamp to the log name but did not find how to get
> > current time.
> >
> > Love for your help,
> > John
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list