I want to generate custom log files.
For example, the columns of one log file should be like the following.
Those fields are found in files.log and http.log.
To get those values I need connection, fa_file and fa_metadata records.
I need connection for resp_h and resp_p through conn_id record (c$id$resp_h and c$id$resp_p).
I need connection for ts, uid, trans_depth, method, status_code, response_body_len, host, uri, referrer, _flash_version through HTTP::Info record.
I need connection for geo location through lookup_location(resp_h).
I need fa_metadata for mime_type, since I extract only particular mime types and also I build the filename that is going to be extracted.
I need fa_file for fuid, source, filename, md5, sha1, and extracted through Files::Info record.
connection and fa_file records are accessible in event file_over_new_connection.
However, at this phase md5, sha1, extracted, and response_body_len values are not present.
For this reason, I used HTTP::log_http and Files::log_files events.
I can get all values from that events except resp_h and resp_p.
I use file_over_new_connection for that since I also extract geo location from here.
But in this case, due to the nature for network traffic that is not synchronic, resp_h and geo location values in my custom log file is erroneous.
How do you do that?
I read related parts of the documentation and source codes of the bro and alse reviewed the Bro archive for last one year.
I keep the post short in order not to be wordy for now.
I can send my script also.
Any help is quite appriciated,