Node: Generating Reports on a Separate Host, Next: , Previous: Encrypted Reports, Up: Installation and Configuration



Generating Reports on a Separate Host

Warning: this section assumes a reasonably high level of Unix system administration skills!

If your site has lots of traffic, lots of connections, or if Bro is using on average more than around 40% of your CPU, you'll want to use a second host for generating reports.

To do this, on the Bro host, run bro_config, and say "N" to all report generation questions. Then install Bro on the second host using the following:

     ./configure
     make
     make install-reports
     

Then follow the instuctions in Bro Configuration for setting up report generation.

You'll also need to set up a method to copy files from the Bro host to the report generation host. One way to do this is using rsync, and the Bro script push_logs.sh does this for you. For example, you can set up a cron job like this on the Bro host:

     1 1 * * * (push_logs.sh /usr/local/bro/etc/bro.cfg host:/home/bro) >> /tmp/bro-push.log
     

To make sure your rsync command has time to transfer all log files before your report generation script is run, the push_logs.sh script is designed to be used with the scripts frontend-site-report.sh and frontend-mail-report.sh on the frontend host. These frontend scripts wait for a file with a particular name to exist before running. It is also important to use the nice command to help ensure the network copy does not unduly divert processing away from Bro.

You may want to rsync the log files over a secure ssh connection. To do this, you need to first generate a ssh key pair on the Bro capture host with no passphrase:

     ssh-keygen -t rsa -C "batch key" -f ./batch.key
     

Put this in user bro's .ssh/config file, also on the Bro capture host

     Host recvhost brohost.foo.com
     IdentityFile ~/.ssh/batch.key
     

On the frontend host where the log files will be processed, add batch.pub to the authorized_keys file

     cat batch.key.pub >> authorized_keys
     

Then create a cron entry on the Bro capture host

     1 1 * * * nice -n 20 rsync -e 'ssh' -azv \
       /usr/local/bro/logs host:/home/bro