[Bro] broctl Email Reports

Chris Crawford christopher.p.crawford at gmail.com
Wed May 30 12:04:05 PDT 2012


Thanks Robin - I think this is exactly what I was looking for.

I tried adding what you recommended to my local.bro and then did a

broctl install
broctl update

but the connection summary email is still going out on the hour.

Is there something else that I need to do?

-Chris

On Wed, May 30, 2012 at 2:27 PM, Robin Sommer <robin at icir.org> wrote:
>
> On Wed, May 30, 2012 at 10:39 -0400, you wrote:
>
>> I don't like getting an email from broctl every hour, though.  Is
>> there a way to get a daily report, instead of an hourly report?
>
> It's indeed coupled to log rotation currently, but you can change that
> by redefining the rotation interval for the alarm summaries. Try this
> in local.bro:
>
>    event bro_init()
>        {
>        local f = Log::get_filter(Notice::ALARM_LOG, "alarm-mail");
>        f$interv = 1day;
>        Log::add_filter(Notice::ALARM_LOG, f);
>        }
>
>> 1. When logs are rotated (per default once a day),
>
> Ah, that's outdated, the default log rotation used to be once a day,
> but is now once an hour.
>
>> "LogRotationInterval (int, default 3600)
>
> We should add a second option here that defines the rotation interval
> for the alarm summaries separately.
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org




More information about the Bro mailing list