[Bro] multiple tables in SQLite Database

Ul Asad, Hafiz Hafiz.Ul-Asad.1 at city.ac.uk
Sat Mar 25 07:51:57 PDT 2017 

Thanks,

And have you tried multiple tables? And if yes, how to add multiple tables?


Asad

-----Original Message-----
From: Aashish Sharma [mailto:asharma at lbl.gov] 
Sent: 25 March 2017 14:47
To: Ul Asad, Hafiz <Hafiz.Ul-Asad.1 at city.ac.uk>
Cc: bro at bro.org
Subject: Re: [Bro] multiple tables in SQLite Database

This page should help:

https://www.bro.org/sphinx/components/bro-plugins/postgresql/README.html

basically, 

event bro_init()
{
    local filter: Log::Filter = 
	[
	$name="postgres", 
	$path="conn", 
	$writer=Log::WRITER_POSTGRESQL, 
	$config=table(["dbname"]="testdb")
	];
	
    Log::add_filter(Conn::LOG, filter);
}

On Sat, Mar 25, 2017 at 02:39:19PM +0000, Ul Asad, Hafiz wrote:
> Thanks Aashish,
> 
> So you mean the following script,
> 
> event bro_init()
>     {
>     local filter: Log::Filter =
>         [
>         $name="sqlite",
>         $path="/var/db/conn",
>         $config=table(["tablename"] = "conn"),
>         $writer=Log::WRITER_SQLITE
>         ];
>     
>      Log::add_filter(Conn::LOG, filter);
>     }
> 
> Would write conn.log to a "postgres" database if we make what changes??
> 
> Asad
> 
> -----Original Message-----
> From: Aashish Sharma [mailto:asharma at lbl.gov] 
> Sent: 25 March 2017 14:25
> To: Ul Asad, Hafiz <Hafiz.Ul-Asad.1 at city.ac.uk>
> Cc: bro at bro.org
> Subject: Re: [Bro] multiple tables in SQLite Database
> 
> Asad, 
> 
> You'd need to use postgres instead. SQLite + BRO is good for readonly operations. If you have a lot of reads/writes Postgres works fantastic. It should be fairly straight forward to port your current bro SQLITE policy to use postgres code. I have been  using postgres instead as well. Don't use sqlite. 
> 
> Aashish  
> 
> On Sat, Mar 25, 2017 at 09:39:28AM +0000, Ul Asad, Hafiz wrote:
> > Bro Users,
> > 
> > I have been trying to have multiple logs in a single sqlite database but I am getting the "the database is locked error". This problem was previously raised here, https://bro-tracker.atlassian.net/browse/BIT-1325?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aworklog-tabpanel. I wonder if there has been any solution for it in the Bro 2.5?
> > 
> > Regards
> > Asad
> 
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

More information about the Bro mailing list