syslog events
Vern Paxson
vern at icir.org
Sun Feb 15 15:24:46 PST 2004
> Possible receive bro events with syslog daemon ?
That's not the Bro model. Events are meant to be processed by event
handlers in your policy scripts. Those handlers might then decide to
execute "log" statements (or by calling the ALERT() function, which is
specified in policy/alert.bro), though, and *those* are sent via syslog.
Note, an event is *NOT* an alert, it's a description of some network
activity in security-neutral terms.
> possible coding function to convert all events in same function ?
> (and on this new function, choice syslog / stdout / stderr ...)
Not in a policy script, since events are strongly typed. The tracing
facility, "-t tracefile", let's you dump a list of all the events to a
given file. Note, on any good-sized network stream, this file gets
huge very fast.
Vern
More information about the Bro
mailing list