[Bro] Disabling logs from loaded scripts
Knick, Scott E CTR USARMY RCERT-EUR (US)
scott.e.knick.ctr at mail.mil
Fri May 9 00:41:32 PDT 2014
Thanks. I found the best way to do what I want by looking at the link you provided. In my bro_init() handler, I simply disable the HTTP module's logging like so:
Log::create_stream(HTTP_LOG, [$columns = HTTPRequest]);
Log::create_stream(P0F_LOG, [$columns = OSFingerprint]);
That handler disables the HTTP module's log and then creates two logs for the things I want to log in my module. Works like a champ!
From: Shane Castle [mailto:shane.castle at gmail.com]
Sent: Wednesday, May 07, 2014 12:38 PM
To: Knick, Scott E CTR USARMY RCERT-EUR (US); bro at bro.org
Subject: Re: [Bro] Disabling logs from loaded scripts
There are a couple of things you might do. You could modify the scripts you want, put them in bro/share/site, and load them from there instead of the usual spots, for instance. You could make a new directory under the bro/share hierarchy, put your custom or test scripts in there, and load the whole set using one '@load', if I recall correctly.
The best approach might be tuning the logging by customizing the logging framework. See this section of the doc:
Please experiment, but remember not to modify any of the the scripts in the normal directories, that is, keep your mods to new directories or to the bro/share/site directory, as others will be replaced with updates.
On 07.05.2014 10:26, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote:
> I want to tightly control what Bro outputs. As a result, I run it with
> the "bare" option enabled. This works well except any scripts I load
> end up logging their own stuff. For example, if my script loads
> base/protocols/http, then that module ends up logging stuff to
> files.log and http.log. I was able to cut out the files.log by loading
> specifically base/protocols/http/main.bro, but http.log is still
> generated. Is there some other option I can use, perhaps in my script?
> -- Scott Knick
More information about the Bro