[Bro] Using the sqlite logger in cluster mode

Christian Kollee christian.kollee at fkie.fraunhofer.de
Wed Oct 29 07:48:09 PDT 2014


we try to use the sqlite logger with a simple cluster configuration
(SecurityOnion with manager, proxy and one worker on the same machine).
We added a module to $PREFIX/share/bro containing just the example
script from bro.org [1]. After restarting bro (using broctl restart
--clean) the manager will crash on the next connection.

However if we start bro using standalone mode the script works as
intended. The database file is created and the connections are added.
Switching back to cluster mode everything works now.

Removing the database file and create an empty one using the schema
extracted previously will also crash the manager in cluster mode.

We are a little bit puzzeled what went wrong here and how to get the
sqlite logger working in cluster mode. Did we miss something or is this
a bug (or a feature)?

Best regards

[1] https://www.bro.org/sphinx-git/frameworks/logging-input-sqlite.html

More information about the Bro mailing list