Hello all!
Need advice about a problem i have:
I am initiating many bro command on dynamically incoming pcaps, such as:
“bro -r some_file_name”.
On every run, logs are created in the same directory, but the next run rewrite those logs. How can bro create logs with uniqe log name foreach run?
Also tried to add timestamp to the log name but did not find how to get current time.
Love for your help,
John
Hi John,
I think bro just truncate the log file, maybe you can do something in Ascii::DoInit function in file /logging/writers/ascii/Ascii.cc to get what you need.
Hope this will help you.
Bowen Li
john Y <yjohn9691@gmail.com> 于2018年6月27日周三 上午4:21写道:
Hi,
traditionally we recommended that you just run Bro in a different
directory each time. Which is typically easily scriptable - just create a
small bash script that changes the directory before running Bro for each
pcap.
There actually is a reason that we don't (currently) support appending to
Logs. The reason is that we cannot guarantee that the columns do not
change inbetween runs - in theory you can change your scripts between Bro
runs to add/remove/change a column.
This will mess up nearly anything that parses Bro logs - even though a new
#fields header would be added, most software only looks at the first one
in the file.
Johanna