[Bro-Dev] Multiple logs in one SQLite database

Johanna Amann johanna at icir.org
Wed Nov 4 15:56:57 PST 2015


Actually - there is a patch in that bug that you might want to try - I 
forgot about that. I am not completely sure about the performance 
implications it might have though.

Johanna

On 5 Nov 2015, at 8:43, Johanna Amann wrote:

> Hello Jakub,
>
> this is a known bug at the moment - tracked in
> https://bro-tracker.atlassian.net/browse/BIT-1325
>
> At the moment there is no workaround to this, besides writing to
> separate sqlite database files -- sorry.
>
> Johanna
>
> On 5 Nov 2015, at 7:03, Jakub S. Paulovic wrote:
>
>> Hello,
>>
>> I am trying to setup Bro to log all the events to a SQLite database.
>> In my
>> local.bro file, I have added an event bro_init() with filters
>> specifying
>> the writer to be WRITER_SQLITE like this:
>>
>>    local filter_conn: Log::Filter =
>>             [
>>             $name="sqlite",
>>             $path="/var/db/conn",
>>             $config=table(["tablename"] = "conn"),
>>             $writer=Log::WRITER_SQLITE
>>             ];
>>
>>     Log::add_filter(Conn::LOG, filter_conn);
>>
>>     local filter_notice: Log::Filter =
>>             [
>>             $name="sqlite",
>>             $path="/var/db/conn",
>>             $config=table(["tablename"] = "notice"),
>>             $writer=Log::WRITER_SQLITE
>>             ];
>>
>>     Log::add_filter(Notice::LOG, filter_notice);
>>
>> ... + other filters for http, dhcp and weird set accordingly.
>>
>> I want the logs to be written to separate tables in one SQLite
>> database.
>> However, when I run bro with this configuration, I almost immediately
>> get
>> SQLite errors:
>> error: /root/bakalarka/capture/bro/sql/log/Log::WRITER_SQLITE: SQLite
>> call
>> failed: database is locked
>> error: /root/bakalarka/capture/bro/sql/log/Log::WRITER_SQLITE:
>> terminating
>> thread
>>
>> After that, nothing else is written to affected table. Please can You
>> suggest me what should I do to achieve logging to one database with
>> multiple tables?
>>
>> Thanks
>> _______________________________________________
>> bro-dev mailing list
>> bro-dev at bro.org
>> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev


More information about the bro-dev mailing list