[Bro] multiple tables in SQLite Database

Init Conf init.conf at gmail.com
Sat Mar 25 08:03:35 PDT 2017 

You create a new filter for each table. 

local conn_filter: LOG::Filter =  [ …. ] 
local dns_filter: LOG::Filter = [ ….. ] 

then set $path and $name for each individual table as you see fit. 

If tables don’t exist in postgres, bro creates them for you. 

then depending on log stream:

Log::add_filter(Conn::LOG, conn_filter);
Log::add_filter(DNS::LOG, dns_filter);


> On Mar 25, 2017, at 7:51 AM, Ul Asad, Hafiz <Hafiz.Ul-Asad.1 at city.ac.uk> wrote:
> 
> Thanks,
> 
> And have you tried multiple tables? And if yes, how to add multiple tables?
> 
> 
> Asad
> 
> -----Original Message-----
> From: Aashish Sharma [mailto:asharma at lbl.gov] 
> Sent: 25 March 2017 14:47
> To: Ul Asad, Hafiz <Hafiz.Ul-Asad.1 at city.ac.uk>
> Cc: bro at bro.org
> Subject: Re: [Bro] multiple tables in SQLite Database
> 
> This page should help:
> 
> https://www.bro.org/sphinx/components/bro-plugins/postgresql/README.html
> 
> basically, 
> 
> event bro_init()
> {
>    local filter: Log::Filter = 
> 	[
> 	$name="postgres", 
> 	$path="conn", 
> 	$writer=Log::WRITER_POSTGRESQL, 
> 	$config=table(["dbname"]="testdb")
> 	];
> 	
>    Log::add_filter(Conn::LOG, filter);
> }
> 
> On Sat, Mar 25, 2017 at 02:39:19PM +0000, Ul Asad, Hafiz wrote:
>> Thanks Aashish,
>> 
>> So you mean the following script,
>> 
>> event bro_init()
>>    {
>>    local filter: Log::Filter =
>>        [
>>        $name="sqlite",
>>        $path="/var/db/conn",
>>        $config=table(["tablename"] = "conn"),
>>        $writer=Log::WRITER_SQLITE
>>        ];
>> 
>>     Log::add_filter(Conn::LOG, filter);
>>    }
>> 
>> Would write conn.log to a "postgres" database if we make what changes??
>> 
>> Asad
>> 
>> -----Original Message-----
>> From: Aashish Sharma [mailto:asharma at lbl.gov] 
>> Sent: 25 March 2017 14:25
>> To: Ul Asad, Hafiz <Hafiz.Ul-Asad.1 at city.ac.uk>
>> Cc: bro at bro.org
>> Subject: Re: [Bro] multiple tables in SQLite Database
>> 
>> Asad, 
>> 
>> You'd need to use postgres instead. SQLite + BRO is good for readonly operations. If you have a lot of reads/writes Postgres works fantastic. It should be fairly straight forward to port your current bro SQLITE policy to use postgres code. I have been  using postgres instead as well. Don't use sqlite. 
>> 
>> Aashish  
>> 
>> On Sat, Mar 25, 2017 at 09:39:28AM +0000, Ul Asad, Hafiz wrote:
>>> Bro Users,
>>> 
>>> I have been trying to have multiple logs in a single sqlite database but I am getting the "the database is locked error". This problem was previously raised here, https://bro-tracker.atlassian.net/browse/BIT-1325?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aworklog-tabpanel. I wonder if there has been any solution for it in the Bro 2.5?
>>> 
>>> Regards
>>> Asad
>> 
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list