[Bro] broctl Email Reports
Chris Crawford
christopher.p.crawford at gmail.com
Wed May 30 12:04:05 PDT 2012
Thanks Robin - I think this is exactly what I was looking for.
I tried adding what you recommended to my local.bro and then did a
broctl install
broctl update
but the connection summary email is still going out on the hour.
Is there something else that I need to do?
-Chris
On Wed, May 30, 2012 at 2:27 PM, Robin Sommer <robin at icir.org> wrote:
>
> On Wed, May 30, 2012 at 10:39 -0400, you wrote:
>
>> I don't like getting an email from broctl every hour, though. Is
>> there a way to get a daily report, instead of an hourly report?
>
> It's indeed coupled to log rotation currently, but you can change that
> by redefining the rotation interval for the alarm summaries. Try this
> in local.bro:
>
> event bro_init()
> {
> local f = Log::get_filter(Notice::ALARM_LOG, "alarm-mail");
> f$interv = 1day;
> Log::add_filter(Notice::ALARM_LOG, f);
> }
>
>> 1. When logs are rotated (per default once a day),
>
> Ah, that's outdated, the default log rotation used to be once a day,
> but is now once an hour.
>
>> "LogRotationInterval (int, default 3600)
>
> We should add a second option here that defines the rotation interval
> for the alarm summaries separately.
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list