[Bro] recipe for log rotating?
tarupp at fnal.gov
Tue Nov 16 08:28:20 PST 2010
Well, right now I'm just using straight bro (the binary) because I'm in
the middle of debugging a script, but ultimately it will move to brocontrol.
I have only limited experience with BroControl at this point though (I
ran it and started a script) I haven't experienced BroControl's handling
of log files yet.
I guess I'm just looking to simulate what regular old linux does with
logs and logrotate; everything goes into one directory, or a subset of
that one directory (for instance httpd logs in the subdirectory
/var/log/httpd/) and then logrotate coming around and making .1, .2, etc
at some interval.
It'd be equally acceptable to me if I could just change the bro log file
name to not be a timestamp, and then have logrotate work like it does
Can I redef the build_name function in rotate logs and just return a
string like "messages" and then bro would create a regular file called
"messages" without the extra timestamp text, filename suffix, etc??
If I were to let logrotate handle rotating of the bro log, I'd also want
to tell bro to never rotate it's own file, and then in the logrotate
config specify "copytruncate" to prevent bro from losing any open
handles to it's log file right?
I approached the log rotate question as a function of bro, but maybe in
my case I would be happy with what I described above?
Seth Hall wrote:
> On Nov 16, 2010, at 10:09 AM, Tim Rupp wrote:
>> Hi folks,
>> I was wondering if anyone had a recipe for changing the log rotate
>> script to rotate bro logs like regular log rotate does
> I'm thinking about how to implement this, but I had some questions. Are you using BroControl so your logs are being put into directories by day? How do you see these log names working in that context? Would each day have logs named like: *.0, *.2, *.3, ..., *.23?
> Or are you asking about creating logs named this way outside of the context of BroControl?
More information about the Bro