Bro Users,
I have been trying to have multiple logs in a single sqlite database but I am getting the “the database is locked error”. This problem was previously raised here, https://bro-tracker.atlassian.net/browse/BIT-1325?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aworklog-tabpanel. I wonder if there has been any solution for it in the Bro 2.5?
Regards
Asad
Asad,
You'd need to use postgres instead. SQLite + BRO is good for readonly operations. If you have a lot of reads/writes Postgres works fantastic. It should be fairly straight forward to port your current bro SQLITE policy to use postgres code. I have been using postgres instead as well. Don't use sqlite.
Aashish
Thanks Aashish,
So you mean the following script,
event bro_init()
{
local filter: Log::Filter =
[
$name="sqlite",
$path="/var/db/conn",
$config=table(["tablename"] = "conn"),
$writer=Log::WRITER_SQLITE
];
Log::add_filter(Conn::LOG, filter);
}
Would write conn.log to a "postgres" database if we make what changes??
Asad
This page should help:
https://www.bro.org/sphinx/components/bro-plugins/postgresql/README.html
basically,
event bro_init()
{
local filter: Log::Filter =
[
$name="postgres",
$path="conn",
$writer=Log::WRITER_POSTGRESQL,
$config=table(["dbname"]="testdb")
];
Log::add_filter(Conn::LOG, filter);
}
Thanks,
And have you tried multiple tables? And if yes, how to add multiple tables?
Asad
You create a new filter for each table.
local conn_filter: LOG::Filter = [ …. ]
local dns_filter: LOG::Filter = [ ….. ]
then set $path and $name for each individual table as you see fit.
If tables don’t exist in postgres, bro creates them for you.
then depending on log stream:
Log::add_filter(Conn::LOG, conn_filter);
Log::add_filter(DNS::LOG, dns_filter);