Does anyone have an example of diverting specific notices to a new log file?
Is the right approach to hook "Notice::policy" (with priority), Log:write to the new log stream and then 'break' from the hook?
-Dave
Yes… you’re on the right track. As it turns out I have a script that does exactly that.
The input file is so I can have a file with rows like
#fields ip note reason timestamp
1.2.3.4 TeamCymruMalwareHashRegistry::Match test box 1445362562
The key thing that my script does is
n$actions = set();
If you just wanted to move some notices to a different log file you could accomplish that much easier by using Log::add_filter with a path_func.
ignore-notices.bro (1 KB)
Thanks Justin,
The add_filter option you mentioned is probably the better route. I’m just looking to move "PacketFilter::Dropped_Packets” notices to a separate log.