[Bro] Question on log rotation
gary at doit.wisc.edu
Thu Dec 19 18:33:25 PST 2013
Thank you, that should actually be very helpful, and not just for this
problem, but also because I have a couple python books on my reading
list over winter break, along with Applied NSM.
On 12/19/2013 7:45 PM, Eric Ooi wrote:
> I’ve noticed this before on Bro 2.1. I ended up writing a quick python script and configured it as an hourly cron job to complete the compression and move. I’ve attached it here. Hope this helps.
> On Dec 19, 2013, at 5:57 PM, Gary Faulkner <gary at doit.wisc.edu> wrote:
>> I had a situation where log rotation and post-processing (summary emails) were not completing. New logs would get started and each previous hour's logs renamed, but not get compressed and moved, which means that many of the previous logs were still in /current (or are they really in <path-to-bro>/spool/manager?). In any case upon stopping bro via broctl it appears that only the most current log got processed and archived while all of the logs in between that never got processed seem to simply have gotten deleted. Are those logs simply lost or somewhere other than the dated archive folder and /current folder? If so, is this expected behavior, or is there normally something that would check to see if previous logs failed to rotate out?
More information about the Bro