[Bro] The right way to disable bro write local file and enable elasticsearch

[Mo Jia]

And it seem that in frameworks/logging/man.bro. Everytime it create stream.

function add_default_filter(id: ID) : bool
{
return add_filter(id, [$name="default"]);
}

this line auto create a  Log::WRITER_ASCII to stream.

I am looking for a scripts-method to disable ascii log and enable
other writer. ( don't want change any c++ file in bro)
Does I need comment  this line. If in this way every time I install
new bro, I should change it .


2015-05-21 17:59 GMT+08:00 Mo Jia <life.130815 at gmail.com>:
> I add redef Log::enable_local_logging = F; the elasticsearch can't
> work , I think the reason is in this func:
>
> WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo&
> arg_info, EnumVal* arg_stream, EnumVal* arg_writer, bool arg_local,
> bool arg_remote)
>    {
>
>    // comment
>
>    if ( local )
>       {
>       backend = log_mgr->CreateBackend(this, writer);
>
>       if ( backend )
>          backend->Start();
>       }
>
>    else
>       backend = 0;
>    }
>
> I know the ascii writer and elasticsearch plugin are both like a
> filter on a stream. I want to know the right way to disable the asscii
> writer?
>
> Is there somethings like a  single  var I can redef such as
> enable_ascii_logging ,
>
> event bro_init() &priority=5
> {
> Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http, $path="http"]);
> Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
> }
>
> This may create the stream and default make http.log can be create.