broctl Email Reports

I like that broctl will roll logs over every hour. My default
broctl.cfg file includes:

# Rotation interval in seconds for log files on manager/standalone node.
LogRotationInterval = 3600

I don't like getting an email from broctl every hour, though. Is
there a way to get a daily report, instead of an hourly report?

Related --

The Bro README [1] claims:

"BroControl sends four types of mails to the address given in MailTo:

1. When logs are rotated (per default once a day), a list of all
alarms during the last rotation interval is sent. This can be disabled
by setting MailAlarms=0."

But elsewhere in the README:

"LogRotationInterval (int, default 3600)
    The frequency of log rotation in seconds for the manager/standalone node."

This is confusing to me -- maybe someone can help me understand. Are
they talking about two different things?

[1] http://www.bro-ids.org/documentation/components/broctl/README.html

You sound like a perfect candidate for someone who wants to get their
logs into a frontend for reporting like Splunk or my ELSA project. I
have a how-to available here:
ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html .
This will let you do reporting and alerting at whatever interval
you're looking for.

I don't like getting an email from broctl every hour, though. Is
there a way to get a daily report, instead of an hourly report?

It's indeed coupled to log rotation currently, but you can change that
by redefining the rotation interval for the alarm summaries. Try this
in local.bro:

    event bro_init()
        {
        local f = Log::get_filter(Notice::ALARM_LOG, "alarm-mail");
        f$interv = 1day;
        Log::add_filter(Notice::ALARM_LOG, f);
        }

1. When logs are rotated (per default once a day),

Ah, that's outdated, the default log rotation used to be once a day,
but is now once an hour.

"LogRotationInterval (int, default 3600)

We should add a second option here that defines the rotation interval
for the alarm summaries separately.

Robin

Thanks Robin - I think this is exactly what I was looking for.

I tried adding what you recommended to my local.bro and then did a

broctl install
broctl update

but the connection summary email is still going out on the hour.

Is there something else that I need to do?

-Chris

Try restarting. bro_init handlers aren't invoked when updating. I'm not even sure that the logging framework is modifiable at runtime (we had a discussion about this a long time ago).

  .Seth

Hmm...I restarted bro and it's still sending Connection Summary
reports every hour.

Ah, ok, I thought your question was only about the alarm summaries
(they should now come once a day). The connection summaries can't
really be detached from the rotation because that's a post-processor
working on the conn.log file at the time it's closed and archived. If
you want them daily (but keep rotating conn.log hourly), you'd need to
do that externally, like with a cron job running over the archived
conn.logs.

(The tool that generates the summaries is "trace-summary", it can be
used standalone as well).

Robin

What is the recommended way to completely disable hourly reports?

In broctl.cfg, add "TraceSummary=" (i.e., set it to empty)

Robin