Previous: Encrypted Reports, Up: Installation and Configuration
Warning: this section assumes a reasonably high level of Unix system administration skills!
If your site has lots of traffic, lots of connections, or if Bro is using on average more than around 40% of your CPU, you'll want to use a second host for generating reports.
To do this, on the Bro host, run bro_config, and say "N" to all report generation questions. Then install Bro on the second host using the following:
./configure make make install-reports
Then follow the instructions in Bro Configuration for setting up report generation.
You'll also need to set up a method to copy files from the Bro host to the report generation
host. One way to do this is using rsync
, and the Bro script push_logs.sh
does this for you. For example, you can set up a cron job
like this on the Bro host:
1 1 * * * (push_logs.sh /usr/local/bro/etc/bro.cfg host:/home/bro) >> /tmp/bro-push.log
To make sure your rsync
command has time to transfer
all log files before your report generation
script is run, the push_logs.sh
script is designed to be used with the scripts
frontend-site-report.sh
and frontend-mail-report.sh
on the frontend host.
These frontend
scripts wait for a file with a particular name to exist before running.
It is also important to use the nice
command to help ensure the network copy does not unduly divert processing away from Bro.
You may want to rsync
the log files over a secure ssh connection. To do this,
you need to first generate a ssh key pair on the Bro capture host with no passphrase:
ssh-keygen -t rsa -C "batch key" -f ./batch.key
Put this in user bro
's .ssh/config file, also on the Bro capture host
Host recvhost brohost.foo.com IdentityFile ~/.ssh/batch.key
On the frontend host where the log files will be processed, add batch.pub to the authorized_keys file
cat batch.key.pub >> authorized_keys
Then create a cron entry on the Bro capture host
1 1 * * * nice -n 20 rsync -e 'ssh' -azv \ /usr/local/bro/logs host:/home/bro