How to get generated specific log files under DEFAULT path (e.g. notice.log)

Zeek
1

Hi Bro’ers

I have a problem to get generated a notice.log file with it’s DEFAULT path.

Short description of my problem:

  • whenever I start Bro to do sth., I get generated some log-files (e.g. communication, http, …) in a folder named /var/log/bro

  • however (also after a “deploy” command!), when I call e.g. “NOTICE([$note=, $msg="”])", I get NOT generated a notice.log file ANYWHERE on my VM

  • I can somehow circumvent that by manipulating the share/bro/base/frameworks/notice/main.bro file, when I explicitly set the $path variables in there to my absolute path like “/var/log/bro/notice”
    Some background I already found out:

  • it is said in the Bro documentation NOT to change any files in the directories (and its sub-folders) from share/bro EXCEPT the share/bro/site-folder

  • I found out, all the modules for which the DEFAULT path log-file generation is working somehow load (directly or indirectly) the base/utils/paths or the base/utils/site modules
    What I want:

  • getting generated my notice.log file without specifiying an absolute path; only the file-name (just like as it works for the other log files in my /var/log/bro folder)
    Please help me to get my notice.log file WITHOUT manipulating files which one should not touch!

Thanks alot in advance!

2

Hi,

did you randomly already find a solution for this in the meantime? Just
from reading over this, I am a bit at a loss for why this would happen.

Basically - the on-disk-files are created the first time that something is
written into then. So - it is normal that a notice.log might not show up
immediately. However, it should show up after you call NOTICE.

It is a bit weird that it would work after you put a full path into
notice/main - I am not sure why this would change anything.

How exactly did you try to generate your test notice? Note that if you are
using cluster mode, a NOTICE in bro_init() will probably not show up in
notice.log due to the fact that the logging connections are not set up yet
when it is raised.

Also - what Bro version are you using?

Johanna