Bro Redis Logging

Log filter for the Redis key/value DB; see

This is not a very common logging format for Bro, as you lose query ability on all log fields except the key field. One can find it useful to store (temporary) metadata about specific network events.

All log fields get formatted as a JSON string and saved as a Redis value. The keys for these values are another log field, selectable for each log filter.

Be aware that duplicate key values will overwrite the corresponding associated values.


This plugin, almost certainly, will be useful mainly for custom log streams (see This code is not production ready! If there are problems with the DB connection, buffered data will be lost!


First, install the libhiredis library and headers. On Ubuntu do:

sudo apt-get install libhiredis-dev

To install this plugin run:

./configure --bro-dist=<path_to_bro_build> && make && sudo make install

To check if everything installed succesfully run:

# bro -N Bro::Redis
Bro::Redis - Redis log writer (dynamic, version 1.0)

There are also a set of tests that can be run:

make test


Global default configs for all Redis filters:


Defaults can be changed with redef statements, or by setting a $config table for each filter.

You can select the log field that will become the key, either with ‘key_index’ or ‘key’. With ‘key’ log field names will be checked and the first field that matches will become the key for this log stream (it will overwrite ‘key_index’). The key can also be prepended (namespaced) by setting ‘key_prefix’, or you can change the database by setting ‘db’. Setting ‘unix_path’ overwrites ‘server_host’.


Filter for a custom log stream that outputs extracted file’s metadata. The ‘dump_file’ log field is the Redis key.

local redis_filter: Log::Filter =
                     [$name = "http-extracted-redis",
                      $writer = Log::WRITER_REDIS,
                      $config = table(["key"] = "dump_file",
                                      ["db"] = "4",
                                      ["server_host"] = "",
                                      ["server_port"] = "6379",
                                      ["key_prefix"] = "",
                                      ["key_expire"] = "600",
                                      ["flush_period"] = "10")];

Log::add_filter(YourLogID::LOG, redis_filter);

Previous Page


Copyright 2016, The Bro Project. Last updated on October 17, 2017. Created using Sphinx 1.5.2.