[Bro] Append instead of overwrite
James Lay
jlay at slave-tothe-box.net
Fri Aug 15 09:54:28 PDT 2014
On 2014-08-15 10:37, Johanna Amann wrote:
> The problem with that approach is, that Bro would have to check that
> the mapping in the files still match. If you change the scripts
> in-between, the order or even the number of columns in the log-files
> might be different. Which would mean that the header do not fit the
> file content anymore.
>
> hat might give you really difficult to parse log-files if you do it
> by accident.
>
> Johanna
>
> On 15 Aug 2014, at 8:53, James Lay wrote:
>
>> On 2014-08-15 09:46, Seth Hall wrote:
>>> On Aug 15, 2014, at 7:59 AM, James Lay <jlay at slave-tothe-box.net>
>>> wrote:
>>>
>>>>> So I run bro instead of broctl. Currently, if I stop a running
>>>>> bro,
>>>>> and start it again, bro overwrites any previous log files...is
>>>>> there a
>>>>> way to change this behavior? Thank you.
>>>
>>> How would you like it to behave instead?
>>>
>>> .Seth
>>>
>>> --
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>>> http://www.bro.org/
>>
>> To give me an option to append instead of overwrite. I imagine that
>> since broctl does all the file management that this could be a
>> command
>> line option...
>>
>> bro -i eth0 -n local.bro
>>
>> where -n would be a no overwrite option. In a nutshell "if the
>> files
>> don't exist, create them, if they do, just append, without the
>> header,
>> to the current file". It could just be a single check on start.
>>
>> How's that? Thanks Seth.
>>
>> James
That makes sense, thanks Johanna. I'm guessing that not a lot of folks
run bro outside of brocontrol in a production environment, and to be
honest, if the cpu usage gets reduced in subsequent versions then I'll
hop on the brocontrol boat and enjoy all the benefits. But until then
bro commandline is where I sit. I agree that creating broken log files
is not gonna work for anyone, which is why maybe having to specify if
via command line and not make it a default would be the way to go. But
maybe not. Thanks again Johanna and everyone really...bro is a crucial
part of my continuous monitoring...I find more uses for it every day. I
just which I was smart enough to give back to the community.
James
More information about the Bro
mailing list