[Bro] Exporting bro alarms and notices
George Noseevich
ngo at lvk.cs.msu.su
Thu Nov 10 05:52:52 PST 2011
Thanks for your answer.
So is the syslog logging (either local or remote) the only alternative
to logiles? No database nor ability to add custom log-processing hooks?
As for IDSMEF, I don't personnaly like the format (bloated xml messages
are a nightmare) but it seems this is the only option to handle alerts
in a mixed IDS/IPS environment.
On 10.11.2011 17:42, Louis F Ruppert wrote:
> Hello.
>
> If you're using 1.5.x, you can export alarms via syslog like this:
>
> redef enable_syslog = T;
>
> Some of my installations use prelude's LML to then pull the syslogged
> alerts in and mix them with the other NIDS/HIDS data.
>
> If you're using 2.x beta, Martin did a good writeup here on how to use
> rsyslog to syslog them to another server:
>
> http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html
>
> I'm glad you asked about the IDMEF support. I've been making some
> noise for that as well. :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111110/a5a5a275/attachment.html
More information about the Bro
mailing list