We are running Bro 0.9a8.14 on our Linux system. We notice that
/ is often 100% full because of huge /var/log/messages, which
seems filled with the Bro alerts that are also recorded in its
own alarm log file.
You shouldn't be recording a huge number of alarms. The philosophy is
that alarms should be of potential operator interest; while "notices" are
of general informational interest, but not something that should be
alarmed/syslog'd. If you send me the alarms (privately) I can suggest
some ways to filter them down.
would we be missing any Bro alerts if we delete /var/log/messages?
They'll still be recorded in alarm.$BRO_LOG_SUFFIX, but deleting
/var/log/messages is the wrong way to fix the problem!