I want to enable logging of MAC adresses as well as hostnames using Bro. I have been using Bro for a while, but I am still a bit new to it.
Version: Bro 2.5.1
From researching this a bit, I found that I can log this by enabling policy/protocols/dhcp/known-devices-and-hostnames.bro but for this, I also need to enable policy/misc/known-devices.log.
This will then log to a devices.log.
Now the problem I am experiencing is that from those files, is that this will only be logged once a day (by default).
I need this to be logged more frequently (as soon as there is the specific connection, I want that connections mac address and hostname to be logged. Is this possible? If possible, do I need to change the defaults and where? Or did I possibly miss something?
Try a redef of Log::default_rotation_interval (docs here) to something that suits your need. If you're running a cluster, consider the LogRotationInterval in BroControl.