[Bro] SQLite logging and as white/blacklist in a cluster

Papulis, George george.papulis at wustl.edu
Wed Oct 26 12:41:44 PDT 2016


Hello everyone,


I have a bro script that logs events based on a blacklist, but I don't want to log the same IP - blacklisted item twice.  I was thinking I could log the data using the SQLite writer, and then also read from that database checking if the event has been logged earlier.  Has anyone used the SQLite logging in a cluster, and if so, is there anything I should look out for?  The size of the log is very small.


Will I need to manually sync the database so each node in the cluster can reference the tables?


Thanks,

George Papulis, GCIA, GPEN

Information Security Analyst

Washington University in St. Louis

george.papulis at wustl.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161026/49125339/attachment.html 


More information about the Bro mailing list