[Bro] Disabling logs from loaded scripts

Knick, Scott E CTR USARMY RCERT-EUR (US) scott.e.knick.ctr at mail.mil
Fri May 9 00:41:32 PDT 2014

Thanks. I found the best way to do what I want by looking at the link you provided. In my bro_init() handler, I simply disable the HTTP module's logging like so:

event bro_init()
    Log::create_stream(HTTP_LOG, [$columns = HTTPRequest]);
    Log::create_stream(P0F_LOG, [$columns = OSFingerprint]);

That handler disables the HTTP module's log and then creates two logs for the things I want to log in my module. Works like a champ!

-----Original Message-----
From: Shane Castle [mailto:shane.castle at gmail.com] 
Sent: Wednesday, May 07, 2014 12:38 PM
To: Knick, Scott E CTR USARMY RCERT-EUR (US); bro at bro.org
Subject: Re: [Bro] Disabling logs from loaded scripts

There are a couple of things you might do. You could modify the scripts you want, put them in bro/share/site, and load them from there instead of the usual spots, for instance. You could make a new directory under the bro/share hierarchy, put your custom or test scripts in there, and load the whole set using one '@load', if I recall correctly.

The best approach might be tuning the logging by customizing the logging framework. See this section of the doc:

Please experiment, but remember not to modify any of the the scripts in the normal directories, that is, keep your mods to new directories or to the bro/share/site directory, as others will be replaced with updates.

Shane Castle

On 07.05.2014 10:26, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote:
> I want to tightly control what Bro outputs. As a result, I run it with 
> the "bare" option enabled. This works well except any scripts I load 
> end up logging their own stuff. For example, if my script loads 
> base/protocols/http, then that module ends up logging stuff to 
> files.log and http.log. I was able to cut out the files.log by loading 
> specifically base/protocols/http/main.bro, but http.log is still 
> generated. Is there some other option I can use, perhaps in my script?
> Thanks.
> -- Scott Knick

More information about the Bro mailing list