[Bro] How to get generated specific log files under DEFAULT path (e.g. notice.log)

Johanna Amann johanna at icir.org
Fri Jan 26 09:41:08 PST 2018 

Hi,

did you randomly already find a solution for this in the meantime? Just
from reading over this, I am a bit at a loss for why this would happen.

Basically - the on-disk-files are created the first time that something is
written into then. So - it is normal that a notice.log might not show up
immediately. However, it should show up after you call NOTICE.

It is a bit weird that it would work after you put a full path into
notice/main - I am not sure why this would change anything.

How exactly did you try to generate your test notice? Note that if you are
using cluster mode, a NOTICE in bro_init() will probably not show up in
notice.log due to the fact that the logging connections are not set up yet
when it is raised.

Also - what Bro version are you using?

Johanna

On Sat, Dec 16, 2017 at 08:59:30AM +0100, Zick Zack wrote:
> Hi Bro'ers
> 
> I have a problem to get generated a notice.log file with it's DEFAULT path.
> 
> Short description of my problem:
> 
>   * whenever I start Bro to do sth., I get generated some log-files
>     (e.g. communication, http, ...) in a folder named /var/log/bro
>   * however (also after a "deploy" command!), when I call e.g.
>     "NOTICE([$note=***, $msg="***"])", I get NOT generated a notice.log
>     file ANYWHERE on my VM
>   * I can somehow circumvent that by manipulating the
>     share/bro/base/frameworks/notice/main.bro file, when I explicitly
>     set the $path variables in there to my absolute path like
>     "/var/log/bro/notice"
> 
> Some background I already found out:
> 
>   * it is said in the Bro documentation NOT to change any files in the
>     directories (and its sub-folders) from share/bro EXCEPT the
>     share/bro/site-folder
>   * I found out, all the modules for which the DEFAULT path log-file
>     generation is working somehow load (directly or indirectly) the
>     base/utils/paths or the base/utils/site modules
> 
> What I want:
> 
>   * getting generated my notice.log file without specifiying an absolute
>     path; only the file-name (just like as it works for the other log
>     files in my /var/log/bro folder)
> 
> Please help me to get my notice.log file WITHOUT manipulating files
> which one should not touch!
> 
> Thanks alot in advance!

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list