Bro log creation

[theflakes]

Looking to get this working as a permanent solution on SecurityOnion. SO rotates Bro logs hourly and Bro only creates the two log files when there is something to write to them.

The easy way of rectifying this problem is to run two instantiations of the this script; one to monitor each file: intel.log and notice.log. Then add the logic to wait till the file exists in each script.

I've also added the logic to ignore certain notice types as I create a lot of notices that I want to see in ELSA but not in Sguil. I added a list variable in the conf file called IGNORE_NOTICE_TYPES. Haven't had a chance to test it yet though.

Please let me know if in any of the above comments I am misunderstanding any part of your script or if there is a better way of doing any of this. And thanks for authoring this script. Looking forward to getting more context in Sguil if I can.

[int13h]

Re: two instances. The agent shouldn't care whether either of the files exist when it is run. For example if you run it with:

-f "/nsm/bro/logs/current/notice.log /nsm/bro/logs/current/intel.log"

It will start following those whenever they are created/recreated. Is this not working for you?

Ignoring certain notice types could be helpful.

[theflakes]

I’m getting “Error processing file" on my test SO box. Running it as root. Neither of those files exist on this box.

On May 27, 2015, at 7:32 AM, Paul Halliday notifications@github.com wrote:

Re: two instances. The agent shouldn't care whether either of the files exist when it is run. For example if you run it with:

-f "/nsm/bro/logs/current/notice.log /nsm/bro/logs/current/intel.log"

It will start following those whenever they are created/recreated. Is this not working for you?

Ignoring certain notice types could be helpful.

—
Reply to this email directly or view it on GitHub #1 (comment).

[int13h]

Hmm.. I can't seem to duplicate this. Can you verify that you are running the most recent git before we proceed?

[theflakes]

Yep I will, thanks.

On 5/27/15, Paul Halliday notifications@github.com wrote:

Hmm.. I can't seem to duplicate this. Can you verify that you are running
the most recent git before we proceed?

---

Reply to this email directly or view it on GitHub:
#1 (comment)

[theflakes]

Deleted the file and recreated if from your Git site and received the same error. Used https://raw.githubusercontent.com/int13h/bro_agent/master/bro_agent.tcl https://raw.githubusercontent.com/int13h/bro_agent/master/bro_agent.tcl to create the bro_agent.tcl file.

Not sure what I am missing as this should be pretty simple. Below is the command I used.

./bro_agent.tcl -c bro_agent.conf -f "/nsm/bro/logs/current/notice.log /nsm/bro/logs/current/intel.log”

Have to be missing something obvious.

On May 27, 2015, at 8:14 AM, Paul Halliday notifications@github.com wrote:

Hmm.. I can't seem to duplicate this. Can you verify that you are running the most recent git before we proceed?

—
Reply to this email directly or view it on GitHub #1 (comment).

[brianhaugli]

Running into similar issue. bro_agent.tcl reads the notice log but not the intel log. Debug mode shows zero output when new intel log is updated.

[branchnetconsulting]

Hi brianhaugli. See #3 about the intel.log issue.