[Bro] bro cluster notification options
Dop
dopheide at ncsa.illinois.edu
Fri Feb 4 09:00:49 PST 2011
We're moving from a single production Bro system to a Bro cluster while
also upgrading to 1.5.2. I've got a few questions about customizing
notifications.
1) We have a situation where one of the Bro workers may be monitoring a
shared link. We want all the events sent centrally to the manager still,
but there's a request that an outside entity have access to that worker's
logs as well. One option is to set "redef suppress_local_output = F;" and
export the logs from the worker directly, but there's also the issue of
email alerts. Is there an option to specify a different mail_dest for a
given worker node?
2) Related to that, we want to send some alerts to different email
addresses. Our use case here is sending off new, untuned alerts to a
different address than our normal incident response list. One option is
to just write a function that does that emailing through a script, but I'm
just checking to make sure there isn't a built-in variable for that.
Thanks,
Dop
More information about the Bro
mailing list