[Bro] Append instead of overwrite
jlay at slave-tothe-box.net
Sat Aug 23 04:43:54 PDT 2014
On Thu, 2014-08-21 at 17:07 -0500, Daniel Thayer wrote:
> On 08/21/2014 04:13 PM, James Lay wrote:
> > On 2014-08-21 13:36, Daniel Thayer wrote:
> >> On 08/15/2014 01:13 PM, Seth Hall wrote:
> >>> On Aug 15, 2014, at 11:53 AM, James Lay <jlay at slave-tothe-box.net>
> >>> wrote:
> >>>> To give me an option to append instead of overwrite. I imagine
> >>>> that
> >>>> since broctl does all the file management that this could be a
> >>>> command
> >>>> line option...
> >>> Ah! You just want to have file management (and perhaps full
> >>> rotation?) added as a standalone script and not something that is
> >>> added by broctl?
> >>> Johanna is right that with our current logging scheme we can't
> >>> really append log files for multiple reasons but I could certainly
> >>> pull together something that would give you decent log rotation
> >>> without running broctl.
> >>> .Seth
> >> To get basic log rotation working without running broctl, you only
> >> need to add this in one of your Bro scripts:
> >> redef Log::default_rotation_interval = 3600 secs;
> >> However, that does not compress the rotated logs, and it will not
> >> move them to another directory. If you want those features, then
> >> you need to have broctl installed, and you need to add this line
> >> also:
> >> redef Log::default_rotation_postprocessor_cmd = "archive-log";
> >> The "archive-log" script will be executed by Bro (so it either needs
> >> to be in Bro's PATH or you need to give the pathname).
> >> In order to get the archive-log script to work, you need to
> >> edit broctl.cfg as needed and run "broctl install". Then start Bro
> >> manually and when Bro runs archive-log it should have all the
> >> info it needs.
> > Yea so I lied I tested this already :D This works really well. I'm
> > assuming that the number of seconds in "redef 3600 secs" and
> > "LogRotationInterval = 3600" in broctl.conf have to match up. And as I
> Those values don't really need to match (but it might be best to
> keep them in sync just to avoid confusion). Since you're not
> starting Bro with broctl, then the only broctl config options
> that will be used are the ones that the archive-log script uses
> (you can look in that script to see which variables it uses,
> if you're curious).
> > But after that it ran like a champ. My last question is if I have
> > these rotate every 24 hours, if I say...start this at 15:00, will it
> > rotate at 15:00? Thank you.
> > James
> In that case I think it will rotate at midnight.
FYI...this absolutely rotated at midnight...which is just
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro