[Bro] Bro + Log rotation (solr ?)

Daniel Thayer dnthayer at illinois.edu
Tue Sep 16 08:10:40 PDT 2014


After changing broctl.cfg, did you remember to run
"broctl install"?  Your changes do not take effect until
you "install" them.

Next, you need to restart Bro ("broctl restart") so that
Bro will read the new settings.


On 09/16/2014 08:58 AM, Joe Blow wrote:
> Hey James,
>
> How exactly are you completely disabling the bro file rotation?  This is
> why i tried in broctl.conf:
>
> SitePolicyStandalone = local.bro
> CfgDir = /usr/local/bro/etc
> SpoolDir = /usr/local/bro/spool
> LogDir = /usr/local/bro/logs
> LogRotationInterval = 0
> MinDiskSpace = 5
>
> But i still see gz files being created.  Am i missing something to
> completely disable?
>
> Cheers,
>
> Justin
>
> On Mon, Sep 15, 2014 at 6:56 PM, James Lay <jlay at slave-tothe-box.net
> <mailto:jlay at slave-tothe-box.net>> wrote:
>
>     On 2014-09-15 16:38, Joe Blow wrote:
>      > Hey all,
>     >
>     > Im using Bro + rsyslog filereader in order to pump Bro into our big
>      > data solution (Apache SOLR).  Im using custom python scripts to parse
>     > the incoming bro messages, batch them into appropriate sizes, and
>     > then
>      > POST them to the SOLR cluster we have setup.  The main problem im
>     > running into is that rsyslog does not seem to follow the files once
>     > they have gone through a Bro logrotate.  Is there a way to completely
>     > disable logrotate?  Has anyone had any luck with the Bro logrotate
>     > and not losing file handles?
>     >
>     > Id love some help in this matter.  Also - i know that Bro supports
>     > elastic search POSTing (via libcurl).  Is there any reason why an
>      > apache SOLR module cant be written/adapted?  I dont see a need to
>      > write to a file and worry about file handles, when its almost exactly
>      > the same to POST to SOLR as it is to ES.  Since its all libcurl (and
>      > JSON) under the hood, id be glad to post/share the SOLR schemas ive
>     > created for the Bro data.
>     >
>     > Thank in advance.
>     >
>     > Cheers,
>     >
>     > JB
>
>     I experienced the same thing, but since I rotate the files manually, I
>     restart the syslog service after rotating and that's done the trick for
>     me.
>
>     James
>     _______________________________________________
>     Bro mailing list
>     bro at bro-ids.org <mailto:bro at bro-ids.org>
>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



More information about the Bro mailing list