[Bro] How to turn off logging Bro alerts via syslog
vern at icir.org
Thu Dec 30 02:38:47 PST 2004
> We are running Bro 0.9a8.14 on our Linux system. We notice that
> / is often 100% full because of huge /var/log/messages, which
> seems filled with the Bro alerts that are also recorded in its
> own alarm log file.
You shouldn't be recording a huge number of alarms. The philosophy is
that alarms should be of potential operator interest; while "notices" are
of general informational interest, but not something that should be
alarmed/syslog'd. If you send me the alarms (privately) I can suggest
some ways to filter them down.
> would we be missing any Bro alerts if we delete /var/log/messages?
They'll still be recorded in alarm.$BRO_LOG_SUFFIX, but deleting
/var/log/messages is the wrong way to fix the problem!
More information about the Bro