[Bro] broctl Email Reports

Martin Holste mcholste at gmail.com
Wed May 30 07:48:33 PDT 2012


You sound like a perfect candidate for someone who wants to get their
logs into a frontend for reporting like Splunk or my ELSA project.  I
have a how-to available here:
ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html .
This will let you do reporting and alerting at whatever interval
you're looking for.

On Wed, May 30, 2012 at 9:39 AM, Chris Crawford
<christopher.p.crawford at gmail.com> wrote:
> I like that broctl will roll logs over every hour.  My default
> broctl.cfg file includes:
>
> # Rotation interval in seconds for log files on manager/standalone node.
> LogRotationInterval = 3600
>
> I don't like getting an email from broctl every hour, though.  Is
> there a way to get a daily report, instead of an hourly report?
>
>
> Related --
>
> The Bro README [1] claims:
>
> "BroControl sends four types of mails to the address given in MailTo:
>
> 1. When logs are rotated (per default once a day), a list of all
> alarms during the last rotation interval is sent. This can be disabled
> by setting MailAlarms=0."
>
> But elsewhere in the README:
>
> "LogRotationInterval (int, default 3600)
>    The frequency of log rotation in seconds for the manager/standalone node."
>
> This is confusing to me -- maybe someone can help me understand.  Are
> they talking about two different things?
>
> [1] http://www.bro-ids.org/documentation/components/broctl/README.html
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list