Hello list,
I would like to redefine/disable http_log and "ignore" normal logging due to heavy http traffic on my net but I'm still interested in alerts triggered by HTTP_SensitiveURI. What is the best way to do this?
Thank you,
/rl
I would like to redefine/disable http_log and "ignore" normal logging
due to heavy http traffic on my net but I'm still interested in alerts
triggered by HTTP_SensitiveURI.
Is your concern the CPU time (which likely won't go down much if you turn
off logging), or the disk space? You can turn off the logging (the file
will be empty) using:
module HTTP;
event bro_init()
{
close(http_log);
}
- Vern
Hi Vern, list,
Vern Paxson wrote:
> Is your concern the CPU time (which likely won't go down
> much if you turn off logging), or the disk space?
> You can turn off the logging (the file will be empty) using:
thank you for the info, it did the trick ;-).
CPU isn't a big problem, storage neither, but we have those logs on http servers already and I tought that we can safe some IO and disk-space on IDS.
I know that the other way was to rewrite the http-*.bro modules but nicer is to disable it in may case.
Thx,
/rl