Hui Lin_External Communication with Bro


I am currently writing a policy to use Bro process event from external source, e.g. auth.log (under /var/log). I just want to catch some sudo operations from system. The effect that I want is any runtime changes in “auth.log” will be caught by Bro’s event handler.

So I review 2009 workshop exercise related to this topic. I understand how Broccoli and Bro-pipe works. But I just confusion on the run-time usage of it. Use Bro-Pipe for example, it uses “bro-pipe” text file with specific format as the input to Bro. Such as

ssh_fail_login double=1184518203 addr= addr= string=aggie string=password
ssh_fail_login double=1184529743 addr= addr= string=ailsa string=password
ssh_fail_login double=1184529745 addr= addr= string=aim string=password

So there should be a script to transform the original log file into this “bro-pipe” text file. My question is that is that possible to dynamically update this “bro-pipe” text file when the log file is updated during the runtime? if possible, what script is used and how to do that?