Node: Generating Reports on a Separate Host, Next: Web GUI Installation / Configuration, Previous: Encrypted Reports, Up: Installation and Configuration
Warning: this section assumes a reasonably high level of Unix system administration skills!
If your site has lots of traffic, lots of connections, or if Bro is using on average more than around 40% of your CPU, you'll want to use a second host for generating reports.
To do this, on the Bro host, run bro_config, and say "N" to all report generation questions. Then install Bro on the second host using the following:
./configure make make install-reports
Then follow the instuctions in Bro Configuration for setting up report generation.
You'll also need to set up a method to copy files from the Bro host to the report generation
host. One way to do this is using rsync
. For example, you can set up a cron job
like this on the Bro host:
1 1 * * * nice -n 10 rsync -avz /usr/local/bro/logs host:/home/bro
You'll need to make sure your rsync
command has time to transfer
all log files before your report generation
script is run. Use the nice
command to help ensure the network copy does not
unduly divert processing away from Bro.
You may want to rsync
the log files over a secure ssh connection. To do this,
you need to first generate a ssh key pair on the Bro host with no passphrase:
ssh-keygen -t rsa -C "batch key" -f ./batch.key
Then on the logging host, put this in user bro
's .ssh/config
Host recvhost brohost.foo.com IdentityFile ~/.ssh/batch.key
On the host where the log files will be processed, add batch.pub to the authorized_keys file
cat batch.key.pub >> authorized_keys
Then create a cron entry on the Bro capture host
1 1 * * * nice -n 20 rsync -e 'ssh' -azv \ /usr/local/bro/logs host:/home/bro