[Bro] Bro cluster requirements and manager logging backlog bug
Azoff, Justin S
jazoff at illinois.edu
Thu Jan 5 07:46:09 PST 2017
> On Jan 5, 2017, at 10:31 AM, Hovsep Levi <hovsep.sanjay.levi at gmail.com> wrote:
>
> Ok. Do you know offhand what file I would look into to make that change ? Also, after creating multiple loggers how would I make each one disable local logging and instead use a kafka export ?
>
Someone that does this now using the kafka plugin could answer better, but I think it's a matter of using a small script. The kafka plugin comes with a script like this:
event bro_init() &priority=-5
{
for (stream_id in Log::active_streams)
{
if (stream_id in Kafka::logs_to_send)
{
local filter: Log::Filter = [
$name = fmt("kafka-%s", stream_id),
$writer = Log::WRITER_KAFKAWRITER,
$config = table(["stream_id"] = fmt("%s", stream_id))
];
Log::add_filter(stream_id, filter);
}
}
}
I think you would change it to be something like
event bro_init() &priority=-5
{
for (stream_id in Log::active_streams)
{
local filter: Log::Filter = [
$name = fmt("kafka-%s", stream_id),
$writer = Log::WRITER_KAFKAWRITER,
$config = table(["stream_id"] = fmt("%s", stream_id))
];
Log::remove_default_filter(stream_id)
Log::add_filter(stream_id, filter);
}
}
--
- Justin Azoff
More information about the Bro
mailing list