Bro logging

David_Vasil1 · February 20, 2006, 4:35pm

Hello, I'm using Bro 1.0 with some success at high rates of traffic. I
would like to configure some automatic handling of
signiture/portscans/etc by parsing log output with SEC and syslog-ng. I set 'redef syslog_alarms = T;' in my site policy after which Bro failed to start giving this warning:

line 51 (syslog_alarms): error, "redef" used but not previously defined

I tried setting 'global enable_syslog = T &redef;' instead, but it didnt seem to put any of the warnings from signitures in syslog.

What is the proper way of doing this? Thanks.

Brian_Tierney · February 20, 2006, 10:34pm

Sorry, but the manual is not correct re: 'redef syslog_alarms = T;'

However by default all alarms should be going to syslog, (see bro.init: const enable_syslog = T &redef;)

You have alerts in your alarm file that are not in syslog? Maybe check you syslog.conf file?

Topic		Replies	Views
more syslog? Zeek	1	61	May 6, 2022
Notifications from Local.bro Zeek	9	83	May 6, 2022
How to turn off logging Bro alerts via syslog Zeek	1	58	May 6, 2022
Another Doubt Zeek	2	92	May 6, 2022
How to turn off logging Bro alerts via syslog Zeek	1	57	May 6, 2022

Bro logging

Related Topics