[Bro] Bro logs - enable_local_logging and remove_default_filter
Johanna Amann
johanna at icir.org
Thu Dec 13 13:51:08 PST 2018
Hi Hovsep,
[...]
> Historically I modify the KafkaLogger plugin slightly to support disabling
> the writing of logs to disk by adding a function call to
> "Log::remove_default_filter" for each log. With Bro 2.6 this no longer
> seems to work the way it once did.
I just looked and I did not really see any big way in which this changed.
Could you perhaps provide a code-snippet that does not work anymore?
I also just tried a minimal example script and Log::remove_default_filter
seems to work as expected.
[...]
> But when I try to set Log::enable_local_logging=0 within the KafkaLogger
> plugin loop for each log I get an error.
This is probably a misunderstanding. Log::enable_local_logging is not a
per-log setting - so there is nothing to loop over.
If you do a
redef Log::enable_local_logging = F;
The setting will persist. That being said, you will very probably not want
to enable this, it means something slightly different than what you
expect. Remote logging means that a log is sent to a remote Bro
instance; local logging means that logging is performed by the current
node. If you set enable_local_logging to false on a node, it will not
output any kind of logs directly itself - this includes sending logs to
Kafka - from a Bro point of view, these are local logs (the logging is
performed by the local node).
By default this is set to "T" in standalone mode; in clusters the setting
is "T" on Logger nodes and "F" on all other nodes. Which is very probably
like you want it.
I hope this helps,
Johanna
More information about the Bro
mailing list