[Bro] Bro not producing a notice.log
Azoff, Justin S
jazoff at illinois.edu
Fri Apr 8 04:57:33 PDT 2016
> On Apr 7, 2016, at 6:46 PM, Paweł Piszczatowski <pawelec93 at googlemail.com> wrote:
> I have a Bro cluster setup in the AWS cloud, currently just with one node. My problem is that Bro is not producing the notice.log, it should just log successful SSH logins but it doesn't. I have tried SSH and FTP bruteforcing the worker node and exceeding the limit of failed connections, again no notice.log. I can see the detect-bruteforcing.bro scripts loaded in the loaded_scripts.log. I am pretty new to Bro, so I am not sure what I am doing wrong.
> I still can't understand it why is it not producing the notice.log. I have
> all the other logs (conn, http, ssl, x509 etc) and they are working fine.
Are you running Bro on the machine that is running the ssh and ftp server?
Your logs are likely broken, but you haven't looked closely enough at them. Just because a log exists doesn't mean bro is seeing both sides of the connection.
- Justin Azoff
More information about the Bro