Adding a human-readable timestamp field.

Zeek
1

Hi all!

Full disclosure: I’m a bit of a bro-ginner, only been working with bro for about a month now.

I’m working on a bro script to add a human-readable timestamp field to my (http) logs, but I’ve run into a bit of a pickle.

Though my script checks out (“bro is ok!”), installs just fine, and even adds the appropriate field…every entry in the field column is unset! I’m not sure where I’ve gone astray , and I would appreciate any pointers.

I’ve included the text of my script below.

Thank you!

-Dani

@load base/protocols/http

module HTTP;

export {
redef record Info += {

A human-readable timestamp

human_time: string &log &optional;
};
}

event time_translate(c: connection, rec: HTTP::Info)
{
local format: string = “%F-%H-%M”;
c$http$human_time = strftime(format, rec$ts);
}

2

Seth,

I see a lot of these...any chance we could get a config feature request that would default to human readable.

James

3

You're right up to here.. the problem is nothing will trigger the
time_translate event. You need to use one of the existing events that
will fire for http connections.

I would try:

event HTTP::log_http(rec: HTTP::Info)
{
    ..
}

I believe that fires just before the entry is logged, if that doesn't
work an event like connection_established or http_request would
definitely work.

4

Thank you so much, Justin! This did the trick – I really appreciate the guidance!

If anybody’s interested, here’s the working bro-code:

@load base/protocols/http

module HTTP;

export {
redef record Info += {

A human-readable timestamp

human_time: string &log &optional;
};
}

event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
{
local format: string = “%F, %H:%M”;
c$http$human_time = strftime(format, c$http$ts);
}

5

Thanks for posting your script! I just added it to my install so I can stop doing date -d@ all the time.

6

No worries! This only works for HTTP logs – you’d have to edit it for other protocols, which I’ve done for SSL, FTP, and SSH. I’ve included those scripts below, in case anybody else would like to use them. Let me know if any issues crop up, or if the coding isn’t in the bro-spirit. :slight_smile:

File: human_time_ftp.bro

@load base/protocols/ftp

module FTP;

export {
redef record Info += {

A human-readable timestamp

human_time: string &log &optional;
};
}

event ftp_request(c: connection , command: string , arg: string)
{
local format: string = “%F, %H:%M:%S”;
c$ftp$human_time = strftime(format, c$ftp$ts);
}