Hello Bro Community:
I was wondering if there was an easy way to modify log filenames that are placed into the spool directory. All I would like to to, is to simply append ‘bro.’ to the beginning of each filename. I searched around a bit thinking there may be a simple configuration option I could modify in the broctl.cfg file. Unfortunately however, I have not come upon any solution yet and feel like I am likely missing something obvious.
As an example, I would like the prefix to be something like ‘bro.conn.log’ instead of ‘conn.log’ for all files being written to the ‘/var/opt/bro/spool/bro’ directory. Is there a simple way to do this using the Bro application?
Thanks very much for your time and assistance.
-Jason
Here’s what I did in Bro 2.1 (I haven’t tried this particular option in 2.2 yet). It’s a little hacky, but it works and I can use different values for different instantiations:
Change the frameworks/logging/main.bro script to include a “const log_prefix = “” &redef, then change the default_path_func to include this prefix when the function returns by cat’ing the prefix with whatever was being returned (three places in 2.1). Then you can add:
Redef Log::log_prefix = “bro.”;
in your run specific file to allow for variations.
A quick look at 2.2 seems to indicate that the same operation will work with that version.
Nice! Submit a patch perhaps? I think that's something we could reasonably take, especially since there are already two people obviously wanting it. 
.Seth