[Bro] The right way to disable bro write local file and enable elasticsearch
Mo Jia
life.130815 at gmail.com
Thu May 21 02:59:09 PDT 2015
I add redef Log::enable_local_logging = F; the elasticsearch can't
work , I think the reason is in this func:
WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo&
arg_info, EnumVal* arg_stream, EnumVal* arg_writer, bool arg_local,
bool arg_remote)
{
// comment
if ( local )
{
backend = log_mgr->CreateBackend(this, writer);
if ( backend )
backend->Start();
}
else
backend = 0;
}
I know the ascii writer and elasticsearch plugin are both like a
filter on a stream. I want to know the right way to disable the asscii
writer?
Is there somethings like a single var I can redef such as
enable_ascii_logging ,
event bro_init() &priority=5
{
Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http, $path="http"]);
Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
}
This may create the stream and default make http.log can be create.
More information about the Bro
mailing list