[Bro] Connection records in a database?
rreitz at fnal.gov
Thu Oct 2 13:18:30 PDT 2008
I want to stuff connections records into a relational database (likely
postgres). Has anyone done this?
My first shot will be to write a simple python process that tails the
conn.* log file and inserts records. I'm wondering if there is a more
elegant way to collect and insert connection records?
As far as motivation, at FNAL we have a issue tracking system which
includes email notification. I would like to use bro to find 'issues'
and then create an event in the issue tracking system. The tracking
system workflow will resolve a local IP address into a specific
machine, find the registered user(s) and send a notification email
(informational, warning, critical). It would be useful if this email
contained a list of recent connections for the system. This would
help the recipient understand what recent computer use caused the
network activity that triggered the issue. Hence, having recent
connections in a database would be helpful.
I think time machine might be too much. Currently I'm thinking of
saving a small time period - say a rolling week's worth of connections
(or whatever fits). I've previously used splunk (http://
www.splunk.com) to suck in connection records for later searches. This
worked, however splunk introduced a delay in retrieval that caused
problems formatting the notification email.
More information about the Bro