While I am enjoying running my new bro-0.8_32, I find that some of the
stuff gets reported to syslog (such as ContentGap and some FTP attacks),
while the rest is getting piled to multiple files (ftp.log, http.log,
etc). I looked at the manual and the *.bro file and it looks like its
hard-coded with ALERT statements. Is there any way to globally redirect
everything to syslog?
There's no single mechanism for doing this.
You should be able to send all the log files to a single location by
redef'ing the various log file variables such as ftp_log, etc. For many
environments, you wouldn't want to syslog all of it, as it rapidly runs
into an immense amount of logging.
For finer-grained control over ALERT processing, Robin Sommer has contributed
the notion of an event that's generated after ALERT does its processing.
(This is in the 0.8a34 release that I just announced.) It looks like:
event alert_action(a: alert_info, action: AlertAction)
Because it's parameterized with the corresponding action, you can then
incorporate the action into your decision about what to do with the alert.
ALERT still generates a syslog for loggable actions, and prints the alert
to the alert log; perhaps it shouldn't, I'm undecided at this point.
Looking down the road, Umesh Shankar has implemented a "match" facility
that will provide more powerful event filtering & action designation.
I haven't integrated his changes yet, but will soon - I finally have dug
out for a bit and have some time for Bro development.
Vern