I want to tightly control what Bro outputs. As a result, I run it with the "bare" option enabled. This works well except any scripts I load end up logging their own stuff. For example, if my script loads base/protocols/http, then that module ends up logging stuff to files.log and http.log. I was able to cut out the files.log by loading specifically base/protocols/http/main.bro, but http.log is still generated. Is there some other option I can use, perhaps in my script?
Thanks.
There are a couple of things you might do. You could modify the scripts
you want, put them in bro/share/site, and load them from there instead
of the usual spots, for instance. You could make a new directory under
the bro/share hierarchy, put your custom or test scripts in there, and
load the whole set using one '@load', if I recall correctly.
The best approach might be tuning the logging by customizing the logging
framework. See this section of the doc:
https://www.bro.org/sphinx/frameworks/logging.html
Please experiment, but remember not to modify any of the the scripts in
the normal directories, that is, keep your mods to new directories or to
the bro/share/site directory, as others will be replaced with updates.
Thanks. I found the best way to do what I want by looking at the link you provided. In my bro_init() handler, I simply disable the HTTP module's logging like so:
event bro_init()
{
Log::disable_stream(HTTP::LOG);
Log::create_stream(HTTP_LOG, [$columns = HTTPRequest]);
Log::create_stream(P0F_LOG, [$columns = OSFingerprint]);
}
That handler disables the HTTP module's log and then creates two logs for the things I want to log in my module. Works like a champ!