[Bro] Overwriting logs

Johanna Amann johanna at icir.org
Fri Jun 29 09:14:04 PDT 2018


Hi,

traditionally we recommended that you just run Bro in a different
directory each time. Which is typically easily scriptable - just create a
small bash script that changes the directory before running Bro for each
pcap.

There actually is a reason that we don't (currently) support appending to
Logs. The reason is that we cannot guarantee that the columns do not
change inbetween runs - in theory you can change your scripts between Bro
runs to add/remove/change a column.

This will mess up nearly anything that parses Bro logs - even though a new
#fields header would be added, most software only looks at the first one
in the file.

Johanna

On Wed, Jun 27, 2018 at 10:52:24AM +0800, Bowen Li wrote:
> Hi John,
>     I think bro just truncate the log file, maybe you can do something in
> Ascii::DoInit function in file /logging/writers/ascii/Ascii.cc to get what
> you need.
>     Hope this will help you.
> 
> Bowen Li
> 
> 
> john Y <yjohn9691 at gmail.com> 于2018年6月27日周三 上午4:21写道:
> 
> > Hello all!
> > Need advice about a problem i have:
> >
> > I am initiating many bro command on dynamically incoming pcaps, such as:
> > "bro -r some_file_name".
> >
> > On every run, logs are created in the same directory, but the next run
> > rewrite those logs. How can bro create logs with uniqe log name foreach run?
> >
> > Also tried to add timestamp to the log name but did not find how to get
> > current time.
> >
> > Love for your help,
> > John
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list