bro operational questions

Hi,
I need to keep bro up and running to process logs continuously. I was wondering what folks would suggest for doing that. Does broctl automatically restart the process if it dies?

Using broctl, how do I specify snaplen=X in the config file? I have tried putting variations of this into broctl.cfg, but it’s not happy
BroArgs = snaplen 65535
.

Finally, what is the best way to specify the logging output path? Is this in a config file or do I need to set it in a script?
Log::add_filter(HTTP::LOG,[$name=“myname”, $path="/my/custom/path/basename", …
Ideally, I would like to set the path on ALL logs with one setting, not just http.

Thank you.

I need to keep bro up and running to process logs continuously. I was wondering what folks would suggest for doing that. Does broctl automatically restart the process if it dies?

Yes, it does. BroControl was built around the need to keep running Bro constantly. You need to make sure that you have a cron job in your system's crontab to run the "broctl cron" command. It's documented at this section of our quick start guide:

  http://bro-ids.org/documentation/quickstart.html#a-minimal-starting-configuration

Using broctl, how do I specify snaplen=X in the config file? I have tried putting variations of this into broctl.cfg, but it's not happy
  BroArgs = snaplen 65535

Into your local.bro add this (then in broctl, do "check", "install", "restart"):

redef snaplen = 65535;

It's not a command line argument (although you can give it that way, it's probably better to keep it as part of your Bro script configuration).

Finally, what is the best way to specify the logging output path? Is this in a config file or do I need to set it in a script?
   Log::add_filter(HTTP::LOG,[$name="myname", $path="/my/custom/path/basename", …

In broctl.cfg:

logdir=/my/custom/path/basename

The $path field in the logging framework is used as the filename for the various logs. We didn't use the term "filename" because once we have database output plugins the $path field will be used as the table name.

  .Seth