[Bro] multiple tables in SQLite Database

Ul Asad, Hafiz Hafiz.Ul-Asad.1 at city.ac.uk
Sat Mar 25 07:39:19 PDT 2017


Thanks Aashish,

So you mean the following script,

event bro_init()
    {
    local filter: Log::Filter =
        [
        $name="sqlite",
        $path="/var/db/conn",
        $config=table(["tablename"] = "conn"),
        $writer=Log::WRITER_SQLITE
        ];
    
     Log::add_filter(Conn::LOG, filter);
    }

Would write conn.log to a "postgres" database if we make what changes??

Asad

-----Original Message-----
From: Aashish Sharma [mailto:asharma at lbl.gov] 
Sent: 25 March 2017 14:25
To: Ul Asad, Hafiz <Hafiz.Ul-Asad.1 at city.ac.uk>
Cc: bro at bro.org
Subject: Re: [Bro] multiple tables in SQLite Database

Asad, 

You'd need to use postgres instead. SQLite + BRO is good for readonly operations. If you have a lot of reads/writes Postgres works fantastic. It should be fairly straight forward to port your current bro SQLITE policy to use postgres code. I have been  using postgres instead as well. Don't use sqlite. 

Aashish  

On Sat, Mar 25, 2017 at 09:39:28AM +0000, Ul Asad, Hafiz wrote:
> Bro Users,
> 
> I have been trying to have multiple logs in a single sqlite database but I am getting the "the database is locked error". This problem was previously raised here, https://bro-tracker.atlassian.net/browse/BIT-1325?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aworklog-tabpanel. I wonder if there has been any solution for it in the Bro 2.5?
> 
> Regards
> Asad

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list