[Bro-Dev] Portmapper logging
Gregor Maier
gregor at icir.org
Mon Dec 6 11:41:57 PST 2010
On 12/6/10 11:37 , Seth Hall wrote:
>
> On Dec 6, 2010, at 12:30 PM, Gregor Maier wrote:
>
>> * I want to add an actual portmapper.log file to log portmapper
>> activity. If we have that, we wouldn't need the "addl" anymore. Is it
>> worth removing it? (Esp. wrt the new logging framework)
>
> I would really like to see any activity logs for policy scripts moved out into their own logs. At OSU for instance, we didn't even keep the conn.log (we closed the log file) because it was mostly repetitive data that we didn't get much benefit from keeping. It's obviously much faster to grep smaller logs too. :)
That's the one change I actually need/want to do for my NFS/portmapper
analysis. I want to have this information in its own portmapper.log
file. Removing the code that adds stuff to "addl" in portmapper.bro is
straight-forward if desired.
cu
Gregor
--
Gregor Maier gregor at icir.org
Int. Computer Science Institute (ICSI) gregor at icsi.berkeley.edu
1947 Center St., Ste. 600 http://www.icir.org/gregor/
Berkeley, CA 94704
USA
More information about the bro-dev
mailing list