[Bro] The right way to disable bro write local file and enable elasticsearch
dnthayer at illinois.edu
Fri May 22 08:55:28 PDT 2015
On 05/21/2015 09:59 PM, Mo Jia wrote:
> Thanks .
> Using this code success get my wish.
> event bro_init() &priority=-5
> for ( stream_id in Log::active_streams )
> Log::remove_filter(stream_id, "default");
> by the way,
> #:/usr/local/bro/logs/current$ ls
> debug.log packet_filter.log stderr.log stdout.log
> These logs can't remove by this way.
The reason why you are seeing the packet_filter.log is
because it gets created before you remove its default filter.
To prevent the log file from being created, try removing the
"&priority=-5" on your bro_init event handler.
The reason why you are seeing those other files is because they
are not created by the logging framework (e.g., stdout.log/stderr.log
are created by broctl).
More information about the Bro