Multiple logs in one SQLite database

Hello,

I am trying to setup Bro to log all the events to a SQLite database. In my local.bro file, I have added an event bro_init() with filters specifying the writer to be WRITER_SQLITE like this:

local filter_conn: Log::Filter =
[
$name=“sqlite”,
$path="/var/db/conn",

$config=table([“tablename”] = “conn”),
$writer=Log::WRITER_SQLITE
];

Log::add_filter(Conn::LOG, filter_conn);

local filter_notice: Log::Filter =
[
$name=“sqlite”,
$path="/var/db/conn",
$config=table([“tablename”] = “notice”),
$writer=Log::WRITER_SQLITE
];

Log::add_filter(Notice::LOG, filter_notice);

… + other filters for http, dhcp and weird set accordingly.

I want the logs to be written to separate tables in one SQLite database. However, when I run bro with this configuration, I almost immediately get SQLite errors:

error: /root/bakalarka/capture/bro/sql/log/Log::WRITER_SQLITE: SQLite call failed: database is locked
error: /root/bakalarka/capture/bro/sql/log/Log::WRITER_SQLITE: terminating thread

After that, nothing else is written to affected table. Please can You suggest me what should I do to achieve logging to one database with multiple tables?

Thanks

Hello Jakub,

this is a known bug at the moment - tracked in https://bro-tracker.atlassian.net/browse/BIT-1325

At the moment there is no workaround to this, besides writing to separate sqlite database files -- sorry.

Johanna

Actually - there is a patch in that bug that you might want to try - I forgot about that. I am not completely sure about the performance implications it might have though.

Johanna