does bro need root privilege?

Kenneth_Goldman · May 22, 2017, 7:43pm

New user, with a Fedora install.

1 - Starting with the basics. As a normal user:

[BroControl] > install
Error: running “bro -v” failed with output:
can’t open ‘debug.log’ for debugging output

Does bro have to run as root?

2 - Is there an NNTP reflector for this mailing list?

Daniel_Thayer · May 22, 2017, 8:47pm

The BroControl documentation explains how to run as a normal user:
https://www.bro.org/sphinx/components/broctl/README.html#using-brocontrol-as-an-unprivileged-user

Dave_Crawford · May 23, 2017, 1:59pm

I also created a plugin to automate the necessary ‘setcap’ calls during installs/deploys:

https://github.com/PingTrip/broctl-setcap

Dave

Kenneth_Goldman · May 23, 2017, 7:08pm

> To: Kenneth Goldman <kgoldman@us.ibm.com>, <bro@bro.org>
> Date: 05/22/2017 04:47 PM
> Subject: Re: [Bro] does bro need root privilege?
>
> The BroControl documentation explains how to run as a normal user:
> https://www.bro.org/sphinx/components/broctl/README.html#using-
> brocontrol-as-an-unprivileged-user

The spool and logs directories are in my home directory, and I edited
/etc/bro/broctl.cfg to point to them. They are rwx.

SpoolDir = /home/kgold/bro/spool
LogDir = /home/kgold/bro/logs

I'm still getting this error:

> > [BroControl] > install
> > Error: running "bro -v" failed with output:
> > can't open 'debug.log' for debugging output

Perhaps I'm editing the wrong configuration file and it's still
trying to open debug.log in a different directory?

Daniel_Thayer · May 24, 2017, 3:49pm

Which version of Bro are you using?

Kenneth_Goldman · May 31, 2017, 6:31pm

The quick starter refers to a notice.log file. It’s not being created.

Misconfiguration? What should I look for?

I do have “weird.log”, that seems undocumented. Could the name perhaps have changed?

Seth_Hall2 · May 31, 2017, 7:20pm

The quick starter refers to a notice.log file. It's not being created.

Logs in Bro are created when they are written to. It's like that none
of the scripts you have loaded are generating notices.

I do have "weird.log", that seems undocumented. Could the name perhaps have
changed?

The weird log's documentation can be found here:
https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info

.Seth

Kenneth_Goldman · June 2, 2017, 4:53pm

> From: Seth Hall <seth@corelight.com>
> To: Kenneth Goldman <kgoldman@us.ibm.com>
> Cc: bro <bro@bro.org>
> Date: 05/31/2017 03:20 PM
> Subject: Re: [Bro] Missing notice.log, have weird.log
>
> On Wed, May 31, 2017 at 2:31 PM, Kenneth Goldman <kgoldman@us.ibm.com> wrote:
> > The quick starter refers to a notice.log file. It's not being created.
>
> Logs in Bro are created when they are written to. It's like that none
> of the scripts you have loaded are generating notices.

Should it generate notices "out of the box"? I have not done any
customization.

notice/main.bro says this, which I read to mean ignore nothing.

const ignored_types: set[Notice::Type] = {} &redef;

If I have to customize something to get notices, is there a tutorial
on how to do that?

Topic		Replies	Views
does bro need root privilege? Zeek	1	64	May 6, 2022
Install Bro as a non-root user Zeek	3	91	May 6, 2022
how to run as non-root user? Zeek	5	84	May 6, 2022
What am I doing wrong here? Zeek	9	62	May 6, 2022
[Not] Running Bro as root? Zeek	13	93	May 6, 2022

does bro need root privilege?

Related Topics