[Bro-Dev] alarm function
Aashish Sharma
asharma at lbl.gov
Fri Jun 3 14:16:55 PDT 2011
I would personally prefer having alarms go in a separate file
(alarm.log):
1) Saves me to set up a post-process to extract NOTICE_ALARM from notice logs
2) Get alarm.log emailed periodically and saving NOTICE_EMAIL for really crucial notices.
3) Allows me to write a little generic rules with NOTICE_FILE since I
don't much worry about bloated notice log
Aashish
On Fri, Jun 03, 2011 at 02:04:35PM -0700, Vern Paxson wrote:
> > I can implement the alarm.log as a filter on the notice.log with the logging framework, but I'm not completely sure what benefits come from keeping a separate file since there is a field in the notice.log that indicates if it was alarmed on.
>
> One benefit is that alarm.log is often much smaller than notice.log
> (a factor of 10,000 smaller for my ICSI config). Sure, one can figure
> out how to grep the notice.log file for the particular needles in the
> haystack, but it can be nice to just have them sitting there directly.
>
> Vern
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
--
Aashish Sharma (asharma at lbl.gov)
Cyber Security, Information Technology Division
Lawrence Berkeley National Laboratory
http://www.lbl.gov/cyber/pgp-aashish.txt
Office: (510)-495-2680 Cell: (510)-457-1525
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110603/3113dfef/attachment.bin
More information about the bro-dev
mailing list