Hello ,
I am interested in learning how to limit the number of logs and scripts bro uses.
With the default installation installed via source method (make install) bro uses a
huge number of scripts loaded as reported by broctl cli’s command “scripts” . Is there
a way to reduce those numbers down ?
Maybe a better question would be : " I just want dns logger generated " - is there a way to do that ?
Thank you .
JD.
You can run in "bare mode" with the -b flag. That will cause Bro to only load stuff that is necessary to load due to a core dependency.
.Seth
Thank you.
Can I start bro with using broctl shell?
Not at this time. We don't provide a mechanism to load a limited subset of scripts with BroControl.
You *could* try adding "BroArgs=-b" into broctl.cfg, but without looking, I have no clue if that would have any repercussions. If you did that, you'd also want to make sure you have a pretty empty local.bro since broctl loads local.bro too.
.Seth
You *could* try adding "BroArgs=-b" into broctl.cfg...
We have been using the "BroArgs=-b" configuration parameter for a while. If you use this option in a cluster setup, be sure to load core frameworks such as cluster, notice, control, etc. in local.bro or you may see some strange things. You may just want to load all of the frameworks defined in <bro dir>/share/bro/base/init-default.bro and then selectively add desired functionality on top of that. It took us a little playing around to get all of the dependencies lined up for what we wanted to analyze, but the filtered results and performance increase were worth it.
Dan
Hm, I'm surprised those things aren't automatically loaded. BroControl should be loading those even if you are running in bare mode.
.Seth
BroControl loads those things automatically (even when BroArgs=-b).
This can be confirmed by running "broctl scripts" (the output shows
all scripts loaded by Bro).