The log file x509.log contains parsed information from the X.509 certificate. However, I would like to know if the x509.log file contains the raw X.509 certificate itself. If yes, how do I extract the certificate from the log, not in real-time? Thanks
The certificates are not contained in any log file, just certificate meta data. To enable certificate extraction you need to enable the files framework which will write certificates to disk.
-AK
Just to expand on this a bit - if you want the certificates dumped in pem
format, there also is a policy script for this that ships with Bro; you
can just load protocols/ssl/extract-certs-pem.bro.
Johanna