[Bro-Dev] alarm function
Vern Paxson
vern at icir.org
Fri Jun 3 14:04:35 PDT 2011
> I can implement the alarm.log as a filter on the notice.log with the logging framework, but I'm not completely sure what benefits come from keeping a separate file since there is a field in the notice.log that indicates if it was alarmed on.
One benefit is that alarm.log is often much smaller than notice.log
(a factor of 10,000 smaller for my ICSI config). Sure, one can figure
out how to grep the notice.log file for the particular needles in the
haystack, but it can be nice to just have them sitting there directly.
Vern
More information about the bro-dev
mailing list