[Bro] Feature Request: Append

Seth Hall seth at icir.org
Wed Oct 5 05:17:18 PDT 2016

> On Sep 29, 2016, at 6:53 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> I know I've brought this up before, but I was going to put this in on 
> the github but that feature isn't enabled.
> I know a lot of people just use broctl and be done with it, but I just 
> use it via command line most of the time.  It would REALLY be nice have 
> a command line switch to not overwrite log files and just append to 
> existing files.  Thank you.

Yeah, this has been a bit of an unfortunate change.  When we switched to the current logging format in 2.0, we changed the logging so you couldn't do append because the ascii writer in the default "bro log format" wants to put the header and footer in place.  If the format of the logs changes between restarts the content wouldn't even be consistent (i.e., column offsets could change or be renamed).

This request may be an early sign that we need to consider a bit of overhaul to the default writers in 2.6.  The ascii writer is sort of overloaded by doing the "bro log format" and JSON logging, the JSON logging doesn't provide any indication of the structure of the logs being provided, you can't append with the ascii writer as you've indicated (although, if we had a dedicated json logger then it might make more sense to have an append mode).  Definitely some issues to think about.

Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list