[Bro] Bro + Log rotation (solr ?)
jlay at slave-tothe-box.net
Mon Sep 15 15:56:37 PDT 2014
On 2014-09-15 16:38, Joe Blow wrote:
> Hey all,
> Im using Bro + rsyslog filereader in order to pump Bro into our big
> data solution (Apache SOLR). Im using custom python scripts to parse
> the incoming bro messages, batch them into appropriate sizes, and
> POST them to the SOLR cluster we have setup. The main problem im
> running into is that rsyslog does not seem to follow the files once
> they have gone through a Bro logrotate. Is there a way to completely
> disable logrotate? Has anyone had any luck with the Bro logrotate
> and not losing file handles?
> Id love some help in this matter. Also - i know that Bro supports
> elastic search POSTing (via libcurl). Is there any reason why an
> apache SOLR module cant be written/adapted? I dont see a need to
> write to a file and worry about file handles, when its almost exactly
> the same to POST to SOLR as it is to ES. Since its all libcurl (and
> JSON) under the hood, id be glad to post/share the SOLR schemas ive
> created for the Bro data.
> Thank in advance.
I experienced the same thing, but since I rotate the files manually, I
restart the syslog service after rotating and that's done the trick for
More information about the Bro