SQLite logging and as white/blacklist in a cluster

Papulis_George · October 26, 2016, 7:41pm

Hello everyone,

I have a bro script that logs events based on a blacklist, but I don’t want to log the same IP - blacklisted item twice. I was thinking I could log the data using the SQLite writer, and then also read from that database checking if the event has been logged earlier. Has anyone used the SQLite logging in a cluster, and if so, is there anything I should look out for? The size of the log is very small.

Will I need to manually sync the database so each node in the cluster can reference the tables?

Thanks,

Azoff_Justin_S · October 26, 2016, 8:10pm

A different approach here is probably better.

What is your timeframe for not logging something twice? Forever? or would once a day be ok?

Papulis_George · October 26, 2016, 8:15pm

Just once a day

Azoff_Justin_S · October 26, 2016, 8:24pm

If you are raising a notice, you can use suppression that is built in:

https://www.bro.org/sphinx-git/frameworks/notice.html#automated-suppression

otherwise see how the known hosts policy does it:

https://www.bro.org/sphinx/_downloads/known-hosts.bro

Papulis_George · October 26, 2016, 9:24pm

We do not use the notice log in this instance, but using the &synchronized and &create_expire attributes look perfect for what I’m trying to accomplish, and significantly easier to use, haha.

Thanks Justin!

Topic		Replies	Views
Using the sqlite logger in cluster mode Zeek	1	62	May 6, 2022
Bro stops logging to sqlite Zeek	2	57	May 6, 2022
Multiple logs in one SQLite database Development development	3	74	May 6, 2022
multiple sqlite writers Zeek	3	72	May 6, 2022
multiple tables in SQLite Database Zeek	6	98	May 6, 2022

SQLite logging and as white/blacklist in a cluster

Related Topics