[Bro] Append instead of overwrite

Johanna Amann johanna at icir.org
Fri Aug 15 09:37:07 PDT 2014


The problem with that approach is, that Bro would have to check that the 
mapping in the files still match. If you change the scripts in-between, 
the order or even the number of columns in the log-files might be 
different. Which would mean that the header do not fit the file content 
anymore.

hat might give you really difficult to parse log-files if you do it by 
accident.

Johanna

On 15 Aug 2014, at 8:53, James Lay wrote:

> On 2014-08-15 09:46, Seth Hall wrote:
>> On Aug 15, 2014, at 7:59 AM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>
>>>> So I run bro instead of broctl.  Currently, if I stop a running
>>>> bro,
>>>> and start it again, bro overwrites any previous log files...is
>>>> there a
>>>> way to change this behavior?  Thank you.
>>
>> How would you like it to behave instead?
>>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>
> To give me an option to append instead of overwrite.  I imagine that
> since broctl does all the file management that this could be a command
> line option...
>
> bro -i eth0 -n local.bro
>
> where -n would be a no overwrite option.  In a nutshell "if the files
> don't exist, create them, if they do, just append, without the header,
> to the current file".  It could just be a single check on start.
>
> How's that?  Thanks Seth.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list