Hi,
I’m working on a project to monitor network traffic and I want to split up my logs based on the user. I’ve been using IP addresses for this, but since our network runs DHCP this requires costly computation to get the MAC address associated with the IP address. I did some research and found that mac-logging.bro should do this for me, however my conn.log file doesn’t include a mac field despite the existence of mac-logging.bro in /usr/local/bro/share/bro/base/protocols/conn. I also copied mac-logging.bro to /usr/local/bro/share/bro/policy/protocols/conn just to be sure, but still nothing. I rebooted my machine and still nothing. FYI I’m on a security onion distribution of ubuntu 16.04.
What do I need to do in order to implement this feature? Thanks in advance!