[Bro] The right way to disable bro write local file and enable elasticsearch

Mo Jia life.130815 at gmail.com
Thu May 21 19:59:01 PDT 2015 

Thanks .

Using this code success get my wish.

event bro_init() &priority=-5
{
for ( stream_id in Log::active_streams )
{
   Log::remove_filter(stream_id, "default");
}
}

by the way,
#:/usr/local/bro/logs/current$ ls
debug.log  packet_filter.log  stderr.log  stdout.log

These logs can't remove by this way.



2015-05-22 1:00 GMT+08:00 Daniel Thayer <dnthayer at illinois.edu>:
> Have you tried removing the default filter?
>
> event bro_init()
>     {
>     Log::remove_filter(HTTP::LOG, "default");
>
>     }
>
>
> On 05/21/2015 05:19 AM, Mo Jia wrote:
>>
>> And it seem that in frameworks/logging/man.bro. Everytime it create
>> stream.
>>
>> function add_default_filter(id: ID) : bool
>> {
>> return add_filter(id, [$name="default"]);
>> }
>>
>> this line auto create a  Log::WRITER_ASCII to stream.
>>
>> I am looking for a scripts-method to disable ascii log and enable
>> other writer. ( don't want change any c++ file in bro)
>> Does I need comment  this line. If in this way every time I install
>> new bro, I should change it .
>>
>>
>> 2015-05-21 17:59 GMT+08:00 Mo Jia <life.130815 at gmail.com>:
>>>
>>> I add redef Log::enable_local_logging = F; the elasticsearch can't
>>> work , I think the reason is in this func:
>>>
>>> WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo&
>>> arg_info, EnumVal* arg_stream, EnumVal* arg_writer, bool arg_local,
>>> bool arg_remote)
>>>     {
>>>
>>>     // comment
>>>
>>>     if ( local )
>>>        {
>>>        backend = log_mgr->CreateBackend(this, writer);
>>>
>>>        if ( backend )
>>>           backend->Start();
>>>        }
>>>
>>>     else
>>>        backend = 0;
>>>     }
>>>
>>> I know the ascii writer and elasticsearch plugin are both like a
>>> filter on a stream. I want to know the right way to disable the asscii
>>> writer?
>>>
>>> Is there somethings like a  single  var I can redef such as
>>> enable_ascii_logging ,
>>>
>>> event bro_init() &priority=5
>>> {
>>> Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http,
>>> $path="http"]);
>>> Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
>>> }
>>>
>>> This may create the stream and default make http.log can be create.
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>

More information about the Bro mailing list