[Bro] Intel Framework, Notices, and sending out emails
seth at icir.org
Fri Dec 20 08:11:13 PST 2013
On Dec 20, 2013, at 10:27 AM, Derek Banks <itsecderek at gmail.com> wrote:
> hook Notice::policy(n: Notice::Info)
> add n$actions[Notice::ACTION_ALARM];
The alarm action may be a little confusing. What's it doing is batching up notices and then sending them out on your log rotation interval in a single email. It's sort of the lower priority notices that you don't care about receiving the instant they occur but you'd still like to know about them soon.
You also have the ability to do multiple actions per-notice so you don't need to worry about overwriting an action if you add multiple. :)
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131220/746e90d3/attachment.bin
More information about the Bro