[Bro] multiple sqlite writers
Johanna Amann
johanna at icir.org
Wed Mar 4 14:03:25 PST 2015
Hello Tony,
On Wed, Mar 04, 2015 at 04:44:53PM -0500, Tony Cebzanov wrote:
> Is there any way to log multiple log streams to a single sqlite database
> as different tables, or does each logging stream / table have to be in a
> separate file?
That should in principle work - I think you should be able to specify the
same path for two logging filters while using different tablenames in the
$config (see
https://www.bro.org/sphinx-git/frameworks/logging-input-sqlite.html for an
example).
That being said, it might lead to a couple of problems. Each of the output
streams will run in a separate thread and open the database individually.
That means only one of the threads can write to the database
simultaneously (see https://www.sqlite.org/faq.html#q5). This will
probably have significant performance implications. I am also not quite
sure how well the logging framework deals with the fact that a db is
currently blocked and it is not able to write.
I hope that helps,
Johanna
More information about the Bro
mailing list