[Bro] bro operational questions

Seth Hall seth at icir.org
Mon May 7 11:34:00 PDT 2012


On May 7, 2012, at 2:14 PM, Dalton Porter wrote:

> I need to keep bro up and running to process logs continuously.  I was wondering what folks would suggest for doing that.  Does broctl automatically restart the process if it dies?

Yes, it does.  BroControl was built around the need to keep running Bro constantly.  You need to make sure that you have a cron job in your system's crontab to run the "broctl cron" command.  It's documented at this section of our quick start guide:

	http://bro-ids.org/documentation/quickstart.html#a-minimal-starting-configuration

>  Using broctl, how do I specify snaplen=X  in the config file? I have tried putting variations of this into broctl.cfg, but it's not happy
>   BroArgs = snaplen 65535

Into your local.bro add this (then in broctl, do "check", "install", "restart"):

redef snaplen = 65535;

It's not a command line argument (although you can give it that way, it's probably better to keep it as part of your Bro script configuration).

> Finally, what is the best way to specify the logging output path?  Is this in a config file or do I need to set it in a script?
>    Log::add_filter(HTTP::LOG,[$name="myname", $path="/my/custom/path/basename", …

In broctl.cfg:

logdir=/my/custom/path/basename

The $path field in the logging framework is used as the filename for the various logs.  We didn't use the term "filename" because once we have database output plugins the $path field will be used as the table name.  

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list