adding fields to HTTP log - cluster environment

william_de_ping · March 12, 2017, 12:56pm

Hi everyone,

I am trying to add a new field to HTTP log.

I want to check if orig_h is in a table, if true then add the value from that table to the record.

I have a script that works in a single bro instance, but does not work in a cluster environment:

@load base/protocol/http

redef record HTTP::Info += {

field: string &log &optional;

}

event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
{

if ( c$http$id$orig_h in test_table )
{

c$http$field = test_table[c$http$id$orig_h];

}

I am not sure why this script works with bro in a single instance mode but not in cluster mode.

Also, giving a higher priority to http_message_done event will override the actual event in main.bro under http ?

thanks

B

Dave_Crawford · March 12, 2017, 4:03pm

Do you have “test_table” set as “&synchronized”?

william_de_ping · March 13, 2017, 2:00pm

Hi,

my mistake, another script ran and removed the default fields on HTTP

Thanks anyways

B

Topic		Replies	Views
http_request event Zeek	7	129	May 6, 2022
Custom Script for log field addition. Zeek	2	108	May 6, 2022
http.log reorder and skip fields, how? Zeek	4	98	May 6, 2022
unusual_http_methods.bro script error Zeek	2	67	May 6, 2022
How to modify http.log Zeek	2	172	May 6, 2022