Hi,
I am currently writing a policy to use Bro process event from external source, e.g. auth.log (under /var/log). I just want to catch some sudo operations from system. The effect that I want is any runtime changes in “auth.log” will be caught by Bro’s event handler.
So I review 2009 workshop exercise related to this topic. I understand how Broccoli and Bro-pipe works. But I just confusion on the run-time usage of it. Use Bro-Pipe for example, it uses “bro-pipe” text file with specific format as the input to Bro. Such as
ssh_fail_login double=1184518203 addr=85.14.95.10 addr=131.243.2.11 string=aggie string=password
ssh_fail_login double=1184529743 addr=81.68.198.23 addr=131.243.2.11 string=ailsa string=password
ssh_fail_login double=1184529745 addr=81.68.198.23 addr=131.243.2.11 string=aim string=password
So there should be a script to transform the original log file into this “bro-pipe” text file. My question is that is that possible to dynamically update this “bro-pipe” text file when the log file is updated during the runtime? if possible, what script is used and how to do that?
Best,
Hui