Other log files besides conn.log

Is there a way to add mac address to log files like http.log, ssl.log, ssh.log, especially when the ip addresses are dynamic. I have been able to add mac address to the conn.log file following bro related threads. I am not skilled at bro scripting but i would very much like to have this functionality. Why? Due to the fact that i want to track down users of the network and at one point their ip addresses do change, however rarely do mac address change unless ofcourse you have spoofed it. Kindly reply. Anyone.

​Hi Therenca:

You could add this to local.bro:

@load policy/protocols/conn/mac-logging

However, unless you’re actually directly monitoring inside the border of a subnet, the host MAC address will not be seen, but the MAC addresses of the routers, so this may not be too useful.

Depending on your network topology, dhcp.log might have some information on the mapping. You could also check your DHCP server’s logs, which should have the information you need.

Hope this helps,


I’m not the authority on Bro’s capabilities but http.log, ssl.log, ssh.log are all protocol specific and none have any notion of hardware addresses. If you’re looking to perform user attribution then I recommend pairing these logs with DHCP data to obtain a hardware address which you can in turn correlate with your lower layer information sources not processed by Bro such as ARP and switch port data. You may also get some mileage out of querying any domain specific authentication data where an explicit set of user credentials was used to authenticate from a device.

If you’re doing any kind of centralized logging with something like ELK or Splunk you might be able to create a custom search that pulls hardware addresses into the logs you named, but as far as I know Bro won’t do this natively (nor should it).

Hope this helps.


I was unaware of the mac-logging option. Thanks for sharing.

Check out how the Bro logs are modified in ROCK: http://rocknsm.io

We Have added in ASN's in each log along with the IP addresses. You could replicate, so the fields would be directly in the Bro logs of choice, but with the MAC addresses logged in the conn.log after enabling that policy script.

Charles "Chuck" A. Fair