The right way to disable bro write local file and enable elasticsearch

Mo_Jia · May 21, 2015, 9:59am

I add redef Log::enable_local_logging = F; the elasticsearch can't
work , I think the reason is in this func:

WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo&
arg_info, EnumVal* arg_stream, EnumVal* arg_writer, bool arg_local,
bool arg_remote)
{

// comment

   if ( local )
      {
      backend = log_mgr->CreateBackend(this, writer);

      if ( backend )
         backend->Start();
      }

   else
      backend = 0;
   }

I know the ascii writer and elasticsearch plugin are both like a
filter on a stream. I want to know the right way to disable the asscii
writer?

Is there somethings like a single var I can redef such as
enable_ascii_logging ,

event bro_init() &priority=5
{
Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http, $path="http"]);
Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
}

This may create the stream and default make http.log can be create.

Mo_Jia · May 21, 2015, 10:19am

And it seem that in frameworks/logging/man.bro. Everytime it create stream.

function add_default_filter(id: ID) : bool
{
return add_filter(id, [$name="default"]);
}

this line auto create a Log::WRITER_ASCII to stream.

I am looking for a scripts-method to disable ascii log and enable
other writer. ( don't want change any c++ file in bro)
Does I need comment this line. If in this way every time I install
new bro, I should change it .

Daniel_Thayer · May 21, 2015, 5:00pm

Have you tried removing the default filter?

event bro_init()
     {
     Log::remove_filter(HTTP::LOG, "default");
     }

Mo_Jia · May 22, 2015, 2:59am

Thanks .

Using this code success get my wish.

event bro_init() &priority=-5
{
for ( stream_id in Log::active_streams )
{
Log::remove_filter(stream_id, "default");
}
}

by the way,
#:/usr/local/bro/logs/current$ ls
debug.log packet_filter.log stderr.log stdout.log

These logs can't remove by this way.

Daniel_Thayer · May 22, 2015, 3:55pm

The reason why you are seeing the packet_filter.log is
because it gets created before you remove its default filter.
To prevent the log file from being created, try removing the
"&priority=-5" on your bro_init event handler.

The reason why you are seeing those other files is because they
are not created by the logging framework (e.g., stdout.log/stderr.log
are created by broctl).

Topic		Replies	Views
Bro logs - enable_local_logging and remove_default_filter Zeek	3	79	May 6, 2022
Writing JSON logs Zeek	9	90	May 6, 2022
Bro eliminating banner in log files . Zeek	5	76	May 6, 2022
Properly disabling certain rules Zeek	5	85	May 6, 2022
Hui Lin_Bro disable log stream is not working? Zeek	2	73	May 6, 2022

The right way to disable bro write local file and enable elasticsearch

Related topics