[Bro] Append instead of overwrite

James Lay jlay at slave-tothe-box.net
Fri Aug 15 09:54:28 PDT 2014


On 2014-08-15 10:37, Johanna Amann wrote:
> The problem with that approach is, that Bro would have to check that
> the mapping in the files still match. If you change the scripts
> in-between, the order or even the number of columns in the log-files
> might be different. Which would mean that the header do not fit the
> file content anymore.
>
> hat might give you really difficult to parse log-files if you do it
> by accident.
>
> Johanna
>
> On 15 Aug 2014, at 8:53, James Lay wrote:
>
>> On 2014-08-15 09:46, Seth Hall wrote:
>>> On Aug 15, 2014, at 7:59 AM, James Lay <jlay at slave-tothe-box.net>
>>> wrote:
>>>
>>>>> So I run bro instead of broctl.  Currently, if I stop a running
>>>>> bro,
>>>>> and start it again, bro overwrites any previous log files...is
>>>>> there a
>>>>> way to change this behavior?  Thank you.
>>>
>>> How would you like it to behave instead?
>>>
>>> .Seth
>>>
>>> --
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>>> http://www.bro.org/
>>
>> To give me an option to append instead of overwrite.  I imagine that
>> since broctl does all the file management that this could be a 
>> command
>> line option...
>>
>> bro -i eth0 -n local.bro
>>
>> where -n would be a no overwrite option.  In a nutshell "if the 
>> files
>> don't exist, create them, if they do, just append, without the 
>> header,
>> to the current file".  It could just be a single check on start.
>>
>> How's that?  Thanks Seth.
>>
>> James

That makes sense, thanks Johanna.  I'm guessing that not a lot of folks 
run bro outside of brocontrol in a production environment, and to be 
honest, if the cpu usage gets reduced in subsequent versions then I'll 
hop on the brocontrol boat and enjoy all the benefits.  But until then 
bro commandline is where I sit.  I agree that creating broken log files 
is not gonna work for anyone, which is why maybe having to specify if 
via command line and not make it a default would be the way to go.  But 
maybe not.  Thanks again Johanna and everyone really...bro is a crucial 
part of my continuous monitoring...I find more uses for it every day.  I 
just which I was smart enough to give back to the community.

James




More information about the Bro mailing list