Thanks. I found the best way to do what I want by looking at the link you provided. In my
bro_init() handler, I simply disable the HTTP module's logging like so:
Log::create_stream(HTTP_LOG, [$columns = HTTPRequest]);
Log::create_stream(P0F_LOG, [$columns = OSFingerprint]);
That handler disables the HTTP module's log and then creates two logs for the things
I want to log in my module. Works like a champ!
From: Shane Castle [mailto:firstname.lastname@example.org]
Sent: Wednesday, May 07, 2014 12:38 PM
To: Knick, Scott E CTR USARMY RCERT-EUR (US); bro(a)bro.org
Subject: Re: [Bro] Disabling logs from loaded scripts
There are a couple of things you might do. You could modify the scripts you want, put them
in bro/share/site, and load them from there instead of the usual spots, for instance. You
could make a new directory under the bro/share hierarchy, put your custom or test scripts
in there, and load the whole set using one '@load', if I recall correctly.
The best approach might be tuning the logging by customizing the logging framework. See
this section of the doc:
Please experiment, but remember not to modify any of the the scripts in the normal
directories, that is, keep your mods to new directories or to the bro/share/site
directory, as others will be replaced with updates.
On 07.05.2014 10:26, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote:
I want to tightly control what Bro outputs. As a
result, I run it with
the "bare" option enabled. This works well except any scripts I load
end up logging their own stuff. For example, if my script loads
base/protocols/http, then that module ends up logging stuff to
files.log and http.log. I was able to cut out the files.log by loading
specifically base/protocols/http/main.bro, but http.log is still
generated. Is there some other option I can use, perhaps in my script?
-- Scott Knick