Hello,
Because I lose so much processing power when manually converting Bro output logs from Epoch to EST using bro-cut, can I have a feature that automatically outputs the Bro logs to EST automatically instead of Epoch while Bro is timestamping the logs as it sees the traffic?
I’m not sure if using the Epoch format makes Bro much faster while it’s processing, but I would like a more integrated solution aside from using the bro-cut utility.
Thank you for your time,
Yeah.. cf should be a few times faster than bro-cut for busy log files, especially if the only thing you are doing is converting the timestamp.
It has an optimization that bro-cut doesn't have yet for avoiding converting timestamps if the current one is the same second as the previous one.
If you are using both tools though and only extracting a few fields, piping bro-cut to cf should be faster than piping cf to bro-cut.
I'm not sure why converting the timestamp is so important though. What are you doing with the data once you convert the timestamps?
Manual searching to establish a timeline of events that I can understand when my intel.log chirps.
I’ll check it out. Glad to know there are alternatives to bro-cut.
Thanks for your time guys,