logging in bro

Vern Paxson vern at ee.lbl.gov
Mon Mar 20 00:38:31 PST 2000


> I have been working with the log files in bro (weird.log, bro.log,
> ftp.log, etc) and have noticed that they are written out in chunks of 4096
> bytes. 
> 
> I know that this is possibly done for performance reasons, but has anyone
> tried/done writing out to the log files in "real-time" (i.e., as soon
> there is data to be written out (i.e., without buffering))?

I've been wanting to add a flush directive, and/or a signal handler
(for HUP, say) that would flush the files, but haven't gotten around to
it yet.

> I have looked through the code looking for how and where this "buffering"
> is specified and how the "chunk size" is specified to be 4096, but have
> not had much success.

It's just the default size used by stdio.  On my development system (FreeBSD),
it's 8192 bytes, by the way.

Note, though, that bro.log should be written unbuffered.  If it's buffered
on your system, something strange is going on - there's an explict fflush()
in Logger.cc to make sure it goes out each time it's written.

		Vern



More information about the Bro mailing list