[Bro] log streams in a bro cluster
Azoff, Justin S
jazoff at illinois.edu
Thu Jun 9 09:58:39 PDT 2016
> On Jun 9, 2016, at 9:48 AM, Luis Martin Liras <martin.liras at gmail.com> wrote:
> 2.- local-worker.bro:
>
> event bro_init() &priority=5
> {
> ...
> Log::create_stream(myprot::MY-PROT_LOG, [$columns=myprot_info, $path="myprot"]);
> Log::create_stream(myprot::MY-PROT_WARN, [$columns=myprot_info,$path="warnings"]);
>
> ...
>
> }
>
>
> 3.- local-manager.bro
>
...
Ah! the files you are putting things in is your problem. Take everything you put in local-worker.bro and local-manager.bro and put it into a script and load that script from local.bro
When you use local-worker directly and call create_stream there then the manager knows nothing about about those log streams.
Additionally, if that is where you are defining the notice types, that will break notices as well because when the notice reaches the manager it also has no idea what to do with it.
There aren't many things that people do that actually belong in the local-worker or local-manger scripts, everything should almost always just go in local.bro. things like create_stream and NOTICE automatically do the right thing depending on what node it is ran on.
--
- Justin Azoff
More information about the Bro
mailing list