SQLite logging and as white/blacklist in a cluster

Hello everyone,

I have a bro script that logs events based on a blacklist, but I don’t want to log the same IP - blacklisted item twice. I was thinking I could log the data using the SQLite writer, and then also read from that database checking if the event has been logged earlier. Has anyone used the SQLite logging in a cluster, and if so, is there anything I should look out for? The size of the log is very small.

Will I need to manually sync the database so each node in the cluster can reference the tables?


A different approach here is probably better.

What is your timeframe for not logging something twice? Forever? or would once a day be ok?

Just once a day

If you are raising a notice, you can use suppression that is built in:


otherwise see how the known hosts policy does it:


We do not use the notice log in this instance, but using the &synchronized and &create_expire attributes look perfect for what I’m trying to accomplish, and significantly easier to use, haha.

Thanks Justin!