Implementing MAC Address Label in Logs


I’m working on a project to monitor network traffic and I want to split up my logs based on the user. I’ve been using IP addresses for this, but since our network runs DHCP this requires costly computation to get the MAC address associated with the IP address. I did some research and found that mac-logging.bro should do this for me, however my conn.log file doesn’t include a mac field despite the existence of mac-logging.bro in /usr/local/bro/share/bro/base/protocols/conn. I also copied mac-logging.bro to /usr/local/bro/share/bro/policy/protocols/conn just to be sure, but still nothing. I rebooted my machine and still nothing. FYI I’m on a security onion distribution of ubuntu 16.04.

What do I need to do in order to implement this feature? Thanks in advance!

mac-logging.bro isn’t loaded by default, so you need to add:

@load policy/protocols/conn/mac-logging

to local.bro

PS - You can look in the loaded-scripts log file to see exactly which bro policies are actually being loaded in your installation.

Hope this helps,