[Bro] send logs to custom server by socket

Mo Jia life.130815 at gmail.com
Sun May 3 06:43:35 PDT 2015


The bro log should send to a stream handing process, may be kafka or
storm for preprocessing the logs .(Which I need to redefine the logs
field , and add more precise fields in one proto like http). So
directly log to elasticsearch may be not a good method.

Also, does bro supports to understand code by switch some macro , So I
can see (for example how a packet  was handing, from begging to end),
I don't want make debug-version and step by step in gdb to see which
func was called. Something like a debug log of call orders?




2015-05-03 19:53 GMT+08:00 Daniel Guerra <daniel.guerra69 at gmail.com>:
> Is this a bro only broker or does it communicate amqp ?
>
>> On 01 May 2015, at 03:38, Hosom, Stephen M <hosom at battelle.org> wrote:
>>
>> I believe you likely want functionality that technically exists in Master.
>>
>> Check out remote logging with Broker... https://www.bro.org/sphinx-git/frameworks/broker.html#remote-logging
>>
>> I haven't played with that yet, so I can't be certain it does precisely what you want...
>>
>> Alternatively, you could just delete the logs after they rotate and send the logs via syslog with rsyslog, or your syslog daemon of choice.
>>
>> Let me know if that helps!
>> ________________________________________
>> From: bro-bounces at bro.org [bro-bounces at bro.org] on behalf of Mo Jia [life.130815 at gmail.com]
>> Sent: Thursday, April 30, 2015 1:17 AM
>> To: bro at bro.org
>> Subject: [Bro] send logs to custom server by socket
>>
>> Hello:
>>
>> If I don't want log to disk, and want send json logs to a remote
>> server. When some code like this Log::write(HTTP::LOG, c$http); it was
>> send http log to my server. Dose this mean I need change
>> src/logging/writters/ascii ? Or I should add a new writer something
>> like socket? I don't want change the bro scripts already have, so
>> Log:write(HTTP::LOG, c$http) should don't change. Or I think is
>> add a config like
>>
>> LOG_SERVER_IP = 192.168.100
>> LOG_SERVER_PORT = 8087
>>
>> and all the http , notice and so on all send to the server.
>> Any suggest? Or does somebody already done before?
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>


More information about the Bro mailing list