base/frameworks/logging/postprocessors/scp.bro
-
Log
This script defines a postprocessing function that can be applied
to a logging filter in order to automatically SCP (secure copy)
a log stream (or a subset of it) to a remote host at configurable
rotation time intervals. Generally, to use this functionality
you must handle the bro_init
event and do the following
in your handler:
- Create a new
Log::Filter
record that defines a name/path,
rotation interval, and set the postprocessor
to
Log::scp_postprocessor
.
- Add the filter to a logging stream using
Log::add_filter
.
- Add a table entry to
Log::scp_destinations
for the filter’s
writer/path pair which defines a set of Log::SCPDestination
records.
Summary
State Variables
Log::scp_destinations : table |
A table indexed by a particular log writer and filter path, that yields
a set of remote destinations. |
Types
Log::SCPDestination : record |
A container that describes the remote destination for the SCP command
argument as user@host:path . |
Detailed Interface
Redefinable Options
-
Log::scp_rotation_date_format
-
Default naming format for timestamps embedded into log filenames
that use the SCP rotator.
State Variables
-
Log::scp_destinations
-
A table indexed by a particular log writer and filter path, that yields
a set of remote destinations. The Log::scp_postprocessor
function queries this table upon log rotation and performs a secure
copy of the rotated log to each destination in the set. This
table can be modified at run-time.
Types
-
Log::SCPDestination
Type: | record
- user:
string
The remote user to log in as. A trust mechanism should be
pre-established.
- host:
string
The remote host to which to transfer logs.
- path:
string
The path/directory on the remote host to send logs.
|
A container that describes the remote destination for the SCP command
argument as user@host:path
.
Functions
-
Log::scp_postprocessor
-
Secure-copies the rotated log to all the remote hosts
defined in Log::scp_destinations
and then deletes
the local copy of the rotated log. It’s not active when
reading from trace files.
Info: | A record holding meta-information about the log file to be
postprocessed. |
Returns: | True if secure-copy system command was initiated or
if no destination was configured for the log as described
by info. |