[Bro] SQLite logging and as white/blacklist in a cluster
Papulis, George
george.papulis at wustl.edu
Wed Oct 26 13:15:33 PDT 2016
Just once a day
________________________________
From: Azoff, Justin S <jazoff at illinois.edu>
Sent: Wednesday, October 26, 2016 3:10:55 PM
To: Papulis, George
Cc: bro at bro.org
Subject: Re: [Bro] SQLite logging and as white/blacklist in a cluster
> On Oct 26, 2016, at 3:41 PM, Papulis, George <george.papulis at wustl.edu> wrote:
>
> I have a bro script that logs events based on a blacklist, but I don't want to log the same IP - blacklisted item twice. I was thinking I could log the data using the SQLite writer, and then also read from that database checking if the event has been logged earlier. Has anyone used the SQLite logging in a cluster, and if so, is there anything I should look out for? The size of the log is very small.
>
> Will I need to manually sync the database so each node in the cluster can reference the tables?
>
A different approach here is probably better.
What is your timeframe for not logging something twice? Forever? or would once a day be ok?
--
- Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161026/08f8d2ee/attachment.html
More information about the Bro
mailing list