Format of log file

Hello,

I've a little question, why do we've some files (log) which start with
t=<epoch_time>, example : alarm/notice and others with just <epoch_time>,
example : arp/conn ?
I ask this because i'm writing a little script and it'll
be more easy to only have one format. :slight_smile:

Another thing, i'm thinking about adding one more parameter in bro.cfg, we
may use it to specify if we want the log's time in epoch 's time or 'normal'
time.
What to do think about this ?

Best regards,

Jean-philippe.

I've a little question, why do we've some files (log) which start with
t=<epoch_time>, example : alarm/notice and others with just <epoch_time>,
example : arp/conn ?

Historically each file has used fixed-column format, without tags to
indicate the meaning of the column. We've started migrating to tags for
just the reason you cite, to make it easier to write back-end parsers.
However, this effort is not complete.

I ask this because i'm writing a little script and it'll
be more easy to only have one format. :slight_smile:

In the interim you might consider writing helper scripts that will
translate the different log files into a tagged format.

Another thing, i'm thinking about adding one more parameter in bro.cfg, we
may use it to specify if we want the log's time in epoch 's time or 'normal'
time.

By normal time do you mean human-readable timestamps? If so, you can achieve
that using the "cf" tool in aux/cf - except it presently expects timestamps
to start at the beginning of each line, so you'd need to extend it to know
about t=<timestamp>. (If you do, please send us a patch for the addition.)

    Vern

Hello,

Historically each file has used fixed-column format, without tags to
indicate the meaning of the column. We've started migrating to tags for
just the reason you cite, to make it easier to write back-end parsers.
However, this effort is not complete.

  Ok, i understand, it sound likes good.

In the interim you might consider writing helper scripts that will
translate the different log files into a tagged format.

  Ok, no problem for this.

By normal time do you mean human-readable timestamps? If so, you can achieve
that using the "cf" tool in aux/cf - except it presently expects timestamps
to start at the beginning of each line, so you'd need to extend it to know
about t=<timestamp>. (If you do, please send us a patch for the addition.)

    Vern
  
  What i thought about was to have the choice to have directly in the log a
  human-readable format for time.
  I'll work as soon as possible on "cf" as suggested. :slight_smile:
  
  Best regards,
  
  Jean-philippe.