[Bro-Dev] Multiple logs in one SQLite database
Jakub S. Paulovic
j.paulovic at gmail.com
Wed Nov 4 14:03:45 PST 2015
Hello,
I am trying to setup Bro to log all the events to a SQLite database. In my
local.bro file, I have added an event bro_init() with filters specifying
the writer to be WRITER_SQLITE like this:
local filter_conn: Log::Filter =
[
$name="sqlite",
$path="/var/db/conn",
$config=table(["tablename"] = "conn"),
$writer=Log::WRITER_SQLITE
];
Log::add_filter(Conn::LOG, filter_conn);
local filter_notice: Log::Filter =
[
$name="sqlite",
$path="/var/db/conn",
$config=table(["tablename"] = "notice"),
$writer=Log::WRITER_SQLITE
];
Log::add_filter(Notice::LOG, filter_notice);
... + other filters for http, dhcp and weird set accordingly.
I want the logs to be written to separate tables in one SQLite database.
However, when I run bro with this configuration, I almost immediately get
SQLite errors:
error: /root/bakalarka/capture/bro/sql/log/Log::WRITER_SQLITE: SQLite call
failed: database is locked
error: /root/bakalarka/capture/bro/sql/log/Log::WRITER_SQLITE: terminating
thread
After that, nothing else is written to affected table. Please can You
suggest me what should I do to achieve logging to one database with
multiple tables?
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20151104/6640d95c/attachment.html
More information about the bro-dev
mailing list