Binpac exception

I added the below to remove syslog from getting logged in my local.bro, and I do not have a syslog.log as wanted:

event bro_init()
     {
     Log::disable_stream(Syslog::LOG);
     }

However I am seeing a large amount of the below in weird.log:

1405648595.773644 Comss94xWJf5CHpgnl 10.1.2.72 54619 10.21.0.23 514 binpac exception: string mismatch at /bro-2.3/src/analyzer/protocol/syslog/syslog-protocol.pac:8: \x0aexpected pattern: "[[:digit:]]+"\x0aactual data: "syslog message here" - F bro

My start line:

/usr/local/bin/bro --no-checksums -i eth0 local "Site::local_nets += { 192.168.1.0/24 }"

Is there a way I can troubleshoot this? Thank you.

James

Hi James,

Try adding this to your local.bro:

event bro_init() {
Analyzer::disable_analyzer(Analyzer::ANALYZER_SYSLOG);
}

This will disable the analyzer, while the code you tried will just disable the syslog.log output.

Hope that helps,

–Vlad

Thanks Vlad…I’ll give that a go.

James