Node: Generating Reports on a Separate Host, Next: , Previous: Encrypted Reports, Up: Installation and Configuration



Generating Reports on a Separate Host

Warning: this section assumes a reasonably high level of Unix system administration skills!

If your site has lots of traffic, lots of connections, or if Bro is using on average more than around 40% of your CPU, you'll want to use a second host for generating reports.

To do this, on the Bro host, run bro_config, and say "N" to all report generation questions. Then install Bro on the second host using the following:

     ./configure
     make
     make install-reports
     

Then follow the instuctions in Bro Configuration for setting up report generation.

You'll also need to set up a method to copy files from the Bro host to the report generation host. One way to do this is using rsync. For example, you can set up a cron job like this on the Bro host:

     1 1 * * * nice -n 10 rsync -avz /usr/local/bro/logs host:/home/bro
     

You'll need to make sure your rsync command has time to transfer all log files before your report generation script is run. Use the nice command to help ensure the network copy does not unduly divert processing away from Bro.

You may want to rsync the log files over a secure ssh connection. To do this, you need to first generate a ssh key pair on the Bro host with no passphrase:

     ssh-keygen -t rsa -C "batch key" -f ./batch.key
     

Then on the logging host, put this in user bro's .ssh/config

     Host recvhost brohost.foo.com
     IdentityFile ~/.ssh/batch.key
     

On the host where the log files will be processed, add batch.pub to the authorized_keys file

     cat batch.key.pub >> authorized_keys
     

Then create a cron entry on the Bro capture host

     1 1 * * * nice -n 20 rsync -e 'ssh' -azv \
       /usr/local/bro/logs host:/home/bro