'Re: [Bro] Hui Lin_Can I control when to create logging files'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bro
Subject:    Re: [Bro] Hui Lin_Can I control when to create logging files
From:       "Hui Lin (Hugo) " <hlin33 () illinois ! edu>
Date:       2012-01-24 17:50:15
Message-ID: CAKq214==NF2rm_ZgoSNnKa9Omz4nYfCpRfmq0HJhU7mDBMpr4A () mail ! gmail ! com
[Download RAW message or body]

That really helps.

I am reading former part of the web site and I did not see any thing
mentions how logs are written into files. So perhaps it is better to add
some of such comment on how logs are written in the section such as
"extending log" or generate log framework at the very beginning? And refer
to the reader to the customize log stream in the later section. Just for
the lazy person like me.

On Tue, Jan 24, 2012 at 10:26 AM, Siwek, Jonathan Luke
<jsiwek@illinois.edu>wrote:

>
> > From my understanding, it seems that Logs files can only be created
> whenever connection_state_remove event handler is called.
>
> Specifically for the conn.log, that is the event handler in which the log
> file entries are written with Log::write().  You can look at where that's
> done in base/protocols/conn/main.bro.
>
> For other logs, Log::write() may get called from other event handlers
> depending on what the log file is supposed to convey.  E.g. in
> base/protocols/http/main.bro, you'll see that Log::write() can get called
> as soon as an HTTP response body is seen, it doesn't wait for the
> connection_state_remove event, but it does use it as a fallback for writing
> out incomplete request/response pairs.
>
> > I can only customize what to update here. If I don't update it, log
> files are still created with default values. Is there any way that I can
> control when to put values in memory into the log files?
>
> In the case you are extending an existing logging stream, you can update
> your new logging state (record fields marked with &log) in any event
> handler that you expect to occur before the handlers that do Log::write().
>
> In the case you are designing your own custom logging stream, you get full
> control over which event handlers you want to update your logging state and
> which ones you want to write to your log stream.  For an example see:
> http://www.bro-ids.org/documentation/logging.html#adding-streams
>
> +Jon




-- 
Hui Lin
Research Assistant
DEPEND Research Group, ECE Department
University of Illinois at Urbana-Champaign
hlin33@illinois.edu

[Attachment #3 (text/html)]

<font><font face="arial,helvetica,sans-serif">That really helps. <br><br>I am reading \
former part of the web site and I did not see any thing mentions how logs are written \
into files. So perhaps it is better to add some of such comment on how logs are \
written in the section such as &quot;extending log&quot; or generate log framework at \
the very beginning? And refer to the reader to the customize log stream in the later \
section. Just for the lazy person like me. <br>

</font></font><br><div class="gmail_quote">On Tue, Jan 24, 2012 at 10:26 AM, Siwek, \
Jonathan Luke <span dir="ltr">&lt;<a \
href="mailto:jsiwek@illinois.edu">jsiwek@illinois.edu</a>&gt;</span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex">

<div class="im"><br>
&gt; From my understanding, it seems that Logs files can only be created whenever \
connection_state_remove event handler is called.<br> <br>
</div>Specifically for the conn.log, that is the event handler in which the log file \
entries are written with Log::write().  You can look at where that&#39;s done in \
base/protocols/conn/main.bro.<br> <br>
For other logs, Log::write() may get called from other event handlers depending on \
what the log file is supposed to convey.  E.g. in base/protocols/http/main.bro, \
you&#39;ll see that Log::write() can get called as soon as an HTTP response body is \
seen, it doesn&#39;t wait for the connection_state_remove event, but it does use it \
as a fallback for writing out incomplete request/response pairs.<br>


<div class="im"><br>
&gt; I can only customize what to update here. If I don&#39;t update it, log files \
are still created with default values. Is there any way that I can control when to \
put values in memory into the log files?<br> <br>
</div>In the case you are extending an existing logging stream, you can update your \
new logging state (record fields marked with &amp;log) in any event handler that you \
expect to occur before the handlers that do Log::write().<br>


<br>
In the case you are designing your own custom logging stream, you get full control \
over which event handlers you want to update your logging state and which ones you \
want to write to your log stream.  For an example see: <a \
href="http://www.bro-ids.org/documentation/logging.html#adding-streams" \
target="_blank">http://www.bro-ids.org/documentation/logging.html#adding-streams</a><br>



<br>
+Jon</blockquote></div><br><br clear="all"><br>-- <br>Hui Lin<br>Research \
Assistant<br>DEPEND Research Group, ECE Department<br>University of Illinois at \
Urbana-Champaign<br><a href="mailto:hlin33@illinois.edu" \
target="_blank">hlin33@illinois.edu</a><br>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic