[Bro] specific logging per worker

John Edwards jedwards2728 at gmail.com
Wed Jan 4 00:49:08 PST 2017


Hi Johanna, Thanks for the info,  I have 1 worker up at the border
inspecting everything and another worker below a few firewall and IPS
systems. i have just installed another worker below all these inspection
points but because all workers feed into a SIEM there no need for the likes
of the conn.log etc to be logging as much as it is off the same link
duplicated into the SIEM as its charged based on consumption.

So if we had a worker below our inspection points only logging some of the
log types we would still get the security benefit of having a worker placed
there without the storage requirements.

Thanks John

On Tue, Jan 3, 2017 at 9:48 PM, Johanna Amann <johanna at icir.org> wrote:

> On Fri, Dec 16, 2016 at 02:09:09PM +1100, John Edwards wrote:
> > Hi all,
> >
> > If i have a cluster that contains 2 workers among a proxy and logger etc,
> > Worker 1 watches and logs everything, Is there a way i can tell worker 2
> to
> > only log a specific protocol and not watch everything the Worker 1?
>
> You can add worker-specific configuration to local.bro using the @if
> directive.
>
> For example something like...
>
> @if ( Cluster::node == "worker-1" )
>
> # things here will only be executed on node named worker-1
>
> @endif
>
> That being said - why exactly do you want to do that? In a traditional
> cluster setting, the traffic is split eavenly among the workers and you
> typically want everyone to perform exactly the same actions.
>
> Johanna
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170104/9741c551/attachment.html 


More information about the Bro mailing list