more syslog?

[Vern Paxson]

> While I am enjoying running my new bro-0.8_32, I find that some of the
> stuff gets reported to syslog (such as ContentGap and some FTP attacks),
> while the rest is getting piled to multiple files (ftp.log, http.log,
> etc).  I looked at the manual and the *.bro file and it looks like its
> hard-coded with ALERT statements. Is there any way to globally redirect
> everything to syslog?

There's no single mechanism for doing this.

You should be able to send all the log files to a single location by
redef'ing the various log file variables such as ftp_log, etc.  For many
environments, you wouldn't want to syslog all of it, as it rapidly runs
into an immense amount of logging.

For finer-grained control over ALERT processing, Robin Sommer has contributed
the notion of an event that's generated after ALERT does its processing.
(This is in the 0.8a34 release that I just announced.)  It looks like:

	event alert_action(a: alert_info, action: AlertAction)

Because it's parameterized with the corresponding action, you can then
incorporate the action into your decision about what to do with the alert.
ALERT still generates a syslog for loggable actions, and prints the alert
to the alert log; perhaps it shouldn't, I'm undecided at this point.

Looking down the road, Umesh Shankar has implemented a "match" facility
that will provide more powerful event filtering & action designation.
I haven't integrated his changes yet, but will soon - I finally have dug
out for a bit and have some time for Bro development.

		Vern