Syslog2bro: tail a syslog file and generate bro events

From BroWiki

Jump to: navigation, search

syslog2bro is a program that essentially does a tail -F on a syslog file and then generates Broccoli events. It runs in a single process and uses a lex generated scanner so it's very efficient.

Currently it only knows how to generate sshd related events such as login failures.

The distribution includes some Bro policy files:

  • ssh-killer.bro - Block a host after too many login failures. Automatically unblock after some amount of time. Email activity reports.
  • email.bro - Manage the emailing of message strings. Sends the first message immediately and then batches up additional messages and send them after waiting a certain amount of time.

Note that ssh-killer.bro is designed to work with acld; it assumes the functions defined in acld.bro are available. It wouldn't be difficult to modify it to use a different blocking method.

The current version is available for download from ftp.ee.lbl.gov:


leres 02:23, 6 March 2009 (UTC)

Retrieved from "http://www.bro-ids.org/wiki/index.php/Syslog2bro:_tail_a_syslog_file_and_generate_bro_events"
Personal tools
User Management