[Bro] Exporting bro alarms and notices

George Noseevich ngo at lvk.cs.msu.su
Thu Nov 10 05:52:52 PST 2011

Thanks for your answer.

So is the syslog logging (either local or remote) the only alternative
to logiles? No database nor ability to add custom log-processing hooks?

As for IDSMEF, I don't personnaly like the format (bloated xml messages
are a nightmare) but it seems this is the only option to handle alerts
in a mixed IDS/IPS environment.
On 10.11.2011 17:42, Louis F Ruppert wrote:
> Hello.
> If you're using 1.5.x, you can export alarms via syslog like this:
> redef enable_syslog = T;
> Some of my installations use prelude's LML to then pull the syslogged
> alerts in and mix them with the other NIDS/HIDS data.
> If you're using 2.x beta, Martin did a good writeup here on how to use
> rsyslog to syslog them to another server:
> http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html
> I'm glad you asked about the IDMEF support.  I've been making some
> noise for that as well. :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111110/a5a5a275/attachment.html 

More information about the Bro mailing list