[Bro] recipe for log rotating?

Seth Hall seth at icir.org
Tue Nov 16 11:49:36 PST 2010

On Nov 16, 2010, at 11:28 AM, Tim Rupp wrote:

> Can I redef the build_name function in rotate logs and just return a string like "messages" and then bro would create a regular file called "messages" without the extra timestamp text, filename suffix, etc??

Instead of doing that, you should be able to just not load the rotate-logs.bro script.  This changes if you are running broctl though because there is some small amount of log rotation logic contained there and rotate-logs.bro is loaded by some of the broctl scripts.  Just be aware that the all.bro and the (deprecated) brolite.bro script both load rotate-logs.bro.

> If I were to let logrotate handle rotating of the bro log, I'd also want to tell bro to never rotate it's own file, and then in the logrotate config specify "copytruncate" to prevent bro from losing any open handles to it's log file right?

After looking at the logrotate man page, I think you are correct.  If you find that that option works with Bro, could you please report back?

> I approached the log rotate question as a function of bro, but maybe in my case I would be happy with what I described above?

When you make the move to BroControl, you may find that you are actually just fine with how it does log rotation.  I haven't heard any complaints about how it manages the logs at least.

I think it's probably worthwhile to think of the logs that Bro outputs as different from your system logs since that's the primary output of the application.  The logs are more equivalent to the database that a web application might use and less comparable to the logs that the web server running the web application outputs.

More information about the Bro mailing list