[Bro] logging locally and to remote logger

william de ping bill.de.ping at gmail.com
Tue Nov 15 03:31:25 PST 2016


If you wish to log locally and you care about the worker-id who produce
this logged event :

   - to know what is the worker-id you can add a field "worker" to your
   logs and populate it from bro script using : get_event_peer()$descr
   - to change the rotation for each log (here, rotate every 200 minutes)
   you need to use
   - LOG::remove_default_filter(SSH::LOG);
      - and then add LOG::add_filter(SSH::LOG, [$name="ssh",$path="ssh",
      *$interv=200min*, $include=("field1","field2") ]
      - btw, you can set $path to be a mounted dir
   - to save the log to another machine simultaneously :
      - use bro, add a new writer (https://www.bro.org/sphinx/
      and then add_filter to ssh and ask it to use the new writer
      - use syslog, just monitor this main local log and transmit it to
      another machine

Hope it helps

On Mon, Nov 14, 2016 at 4:35 PM, erik clark <philosnef at gmail.com> wrote:

> So, if I use:
> redef Log::enable_local_logging
> in a bro worker cluster, what I find is that all the logs go to
> /data/bro/spool/worker-1-X instead of all in /data/bro/logs/current on the
> local machine... Is there a way to fix this?
> Also, I would want to rotate logs out on the workers that are doing
> additional local logging to have a much more constrained timeframe for
> logging, specifically 1 week for local nodes, and 3 months for the logger
> host.
> Is the best way to do this just with a cron rm -rf /data/bro/logs/$date ?
> It seems this would run into a conflict with broctlconfig....
> Thanks!
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161115/f54ec67e/attachment.html 

More information about the Bro mailing list