vern at icir.org
Sun Jul 13 12:59:31 PDT 2003
> While I am enjoying running my new bro-0.8_32, I find that some of the
> stuff gets reported to syslog (such as ContentGap and some FTP attacks),
> while the rest is getting piled to multiple files (ftp.log, http.log,
> etc). I looked at the manual and the *.bro file and it looks like its
> hard-coded with ALERT statements. Is there any way to globally redirect
> everything to syslog?
There's no single mechanism for doing this.
You should be able to send all the log files to a single location by
redef'ing the various log file variables such as ftp_log, etc. For many
environments, you wouldn't want to syslog all of it, as it rapidly runs
into an immense amount of logging.
For finer-grained control over ALERT processing, Robin Sommer has contributed
the notion of an event that's generated after ALERT does its processing.
(This is in the 0.8a34 release that I just announced.) It looks like:
event alert_action(a: alert_info, action: AlertAction)
Because it's parameterized with the corresponding action, you can then
incorporate the action into your decision about what to do with the alert.
ALERT still generates a syslog for loggable actions, and prints the alert
to the alert log; perhaps it shouldn't, I'm undecided at this point.
Looking down the road, Umesh Shankar has implemented a "match" facility
that will provide more powerful event filtering & action designation.
I haven't integrated his changes yet, but will soon - I finally have dug
out for a bit and have some time for Bro development.
More information about the Bro