Hello All,
Is there a way to add Bro server hostname field into all the Bro log types? We have 5 Bro servers capturing traffic on different network nodes, we are trying to add each server/sensor hostname into all the log types so analyst can identify where the logs are coming from.
v/r
Jawad Rajput
Yes!
We added a log extension mecahnism a while ago. Here’s a snippet you could start from…
option my_server_name = "";
type MyLogExtension: record {
server_name: string &log;
};
function add_my_log_extension(path: string): MyLogExtension
{
return MyLogExtension($server_name = my_server_name);
}
redef Log::default_ext_func = add_my_log_extension;
.Seth
Thanks a lot Seth, it worked out.
v/r
Jawad
What Seth suggest is a better way to do this.
I also do one more thing - when logs rotate overnight - we add the hostname to
the log file names too.
So our logs from different bro instances are named like:
conn.log.cluster-1-mgr.2019-03-29-00:00:00-00:00:00.gz
conn.log.wireless-bro.2019-03-29-00:00:00-00:00:00.gz
etc.
How we do this:
Basically in broctl.cfg I've added:
# change log naming
MakeArchiveName = /usr/local/bro/common/scripts/makelocal-archivename-2.1
and here is the makelocal-archivename-2.1
$ cat makelocal-archivename-2.1
#! /usr/bin/env bash