[Bro] The right way to disable bro write local file and enable elasticsearch

Daniel Thayer dnthayer at illinois.edu
Thu May 21 10:00:29 PDT 2015


Have you tried removing the default filter?

event bro_init()
     {
     Log::remove_filter(HTTP::LOG, "default");
     }


On 05/21/2015 05:19 AM, Mo Jia wrote:
> And it seem that in frameworks/logging/man.bro. Everytime it create stream.
>
> function add_default_filter(id: ID) : bool
> {
> return add_filter(id, [$name="default"]);
> }
>
> this line auto create a  Log::WRITER_ASCII to stream.
>
> I am looking for a scripts-method to disable ascii log and enable
> other writer. ( don't want change any c++ file in bro)
> Does I need comment  this line. If in this way every time I install
> new bro, I should change it .
>
>
> 2015-05-21 17:59 GMT+08:00 Mo Jia <life.130815 at gmail.com>:
>> I add redef Log::enable_local_logging = F; the elasticsearch can't
>> work , I think the reason is in this func:
>>
>> WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo&
>> arg_info, EnumVal* arg_stream, EnumVal* arg_writer, bool arg_local,
>> bool arg_remote)
>>     {
>>
>>     // comment
>>
>>     if ( local )
>>        {
>>        backend = log_mgr->CreateBackend(this, writer);
>>
>>        if ( backend )
>>           backend->Start();
>>        }
>>
>>     else
>>        backend = 0;
>>     }
>>
>> I know the ascii writer and elasticsearch plugin are both like a
>> filter on a stream. I want to know the right way to disable the asscii
>> writer?
>>
>> Is there somethings like a  single  var I can redef such as
>> enable_ascii_logging ,
>>
>> event bro_init() &priority=5
>> {
>> Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http, $path="http"]);
>> Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
>> }
>>
>> This may create the stream and default make http.log can be create.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>


More information about the Bro mailing list