[Bro] is there a standars config option for pruning historical logs?
JAzoff at albany.edu
Mon Oct 21 08:31:23 PDT 2013
On Thu, Oct 17, 2013 at 02:49:33PM +1300, Russell Fulton wrote:
> Yes, I know it is trivial but if there is a built in way to do it I would rather use it! That way when someone changes the log directory between release it keeps working ;)
> I am putting much of the data into elsa so there isn't much point in keeping it hanging around in bro-logs for long.
In addition to the options you found another option is to use cron jobs
to have per log file retention periods. I do something like this:
@daily root find /usr/local/bro/logs/ -name 'http*' -mtime +6 | xargs rm -f
@daily root find /usr/local/bro/logs/ -name 'ftp.*' -mtime +6 | xargs rm -f
to only keep http and ftp logs for a week. Once the 'big' log files are
removed a days logs are < 100M instead of 10G
-- Justin Azoff
-- Network Security & Performance Analyst
More information about the Bro