[Bro-Dev] Multiple logs in one SQLite database
Johanna Amann
johanna at icir.org
Wed Nov 4 15:43:20 PST 2015
Hello Jakub,
this is a known bug at the moment - tracked in
https://bro-tracker.atlassian.net/browse/BIT-1325
At the moment there is no workaround to this, besides writing to
separate sqlite database files -- sorry.
Johanna
On 5 Nov 2015, at 7:03, Jakub S. Paulovic wrote:
> Hello,
>
> I am trying to setup Bro to log all the events to a SQLite database.
> In my
> local.bro file, I have added an event bro_init() with filters
> specifying
> the writer to be WRITER_SQLITE like this:
>
> local filter_conn: Log::Filter =
> [
> $name="sqlite",
> $path="/var/db/conn",
> $config=table(["tablename"] = "conn"),
> $writer=Log::WRITER_SQLITE
> ];
>
> Log::add_filter(Conn::LOG, filter_conn);
>
> local filter_notice: Log::Filter =
> [
> $name="sqlite",
> $path="/var/db/conn",
> $config=table(["tablename"] = "notice"),
> $writer=Log::WRITER_SQLITE
> ];
>
> Log::add_filter(Notice::LOG, filter_notice);
>
> ... + other filters for http, dhcp and weird set accordingly.
>
> I want the logs to be written to separate tables in one SQLite
> database.
> However, when I run bro with this configuration, I almost immediately
> get
> SQLite errors:
> error: /root/bakalarka/capture/bro/sql/log/Log::WRITER_SQLITE: SQLite
> call
> failed: database is locked
> error: /root/bakalarka/capture/bro/sql/log/Log::WRITER_SQLITE:
> terminating
> thread
>
> After that, nothing else is written to affected table. Please can You
> suggest me what should I do to achieve logging to one database with
> multiple tables?
>
> Thanks
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
More information about the bro-dev
mailing list