[Bro] elastic search / bro questions

Seth Hall seth at icir.org
Mon Nov 10 07:57:54 PST 2014

> On Nov 10, 2014, at 10:20 AM, Joe Blow <blackhole.em at gmail.com> wrote:
> I'm not processing offline files, if that's what you mean (still a bit new to bro, feel free to expand on the tracefiles).

Ohh, I know what's happening.  You're running Bro directly at the command line without using broctl aren't you?  Bro doesn't have log rotation enabled by default and the index name rotation is based on log log rotation.

Set this in a script you're loading...

redef Log::default_rotation_interval = 1hr;

I haven't double checked and I not sure what that will do to the Ascii logs, but it should at least give you partitioned index names in ES.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list