On 3 Jan 2019, at 11:01, Rajput, Jawad (CONTR) wrote:

Is there a way to add Bro server hostname field into all the Bro log types? We have 5 Bro servers capturing traffic on different network nodes, we are trying to add each server/sensor hostname into all the log types so analyst can identify where the logs are coming from.

Yes!

We added a log extension mecahnism a while ago. Here's a snippet you could start from...

option my_server_name = "";

type MyLogExtension: record {
        server_name:   string &log;
};

function add_my_log_extension(path: string): MyLogExtension
        {
        return MyLogExtension($server_name = my_server_name);
        }


redef Log::default_ext_func = add_my_log_extension;

.Seth

--
Seth Hall * Corelight, Inc * www.corelight.com