[Bro-Dev] alarm function

Aashish Sharma asharma at lbl.gov
Fri Jun 3 14:16:55 PDT 2011

I would personally prefer having alarms go in a separate file
1) Saves me to set up a post-process to extract NOTICE_ALARM from notice logs 
2) Get alarm.log emailed periodically and saving NOTICE_EMAIL for really crucial notices. 
3) Allows me to write a little generic rules with NOTICE_FILE since I
don't much worry about bloated notice log 


On Fri, Jun 03, 2011 at 02:04:35PM -0700, Vern Paxson wrote:
> > I can implement the alarm.log as a filter on the notice.log with the logging framework, but I'm not completely sure what benefits come from keeping a separate file since there is a field in the notice.log that indicates if it was alarmed on.
> One benefit is that alarm.log is often much smaller than notice.log
> (a factor of 10,000 smaller for my ICSI config).  Sure, one can figure
> out how to grep the notice.log file for the particular needles in the
> haystack, but it can be nice to just have them sitting there directly.
> 		Vern
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Aashish Sharma	(asharma at lbl.gov) 				 
Cyber Security, Information Technology Division  
Lawrence Berkeley National Laboratory  
Office: (510)-495-2680  Cell: (510)-457-1525
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110603/3113dfef/attachment.bin 

More information about the bro-dev mailing list