[Bro] redef LogExpireInterval with JSON log writer?
jan.grashoefer at gmail.com
Fri Mar 16 12:13:58 PDT 2018
On 16/03/18 19:09, Drew Dixon wrote:
> So, for example- if I have a retention of
> say 15 days ( in broctl.cfg setting LogExpireInterval = 15) of archived
> logs for the default tab delimited logs. I want to be able to tell bro
> independently of the broctl.cfg global LogExpireInterval setting value that
> I want only all of my json_streaming_* logs to expire/be deleted/removed
> off of disk after say 1 day while the normal tab delimited logs still
> adhere to the 15 day archive retention.
The point here is that expiration of archived logs isn't done by bro but
by broctl. Using add-json one thing that might work for you is to redef
Log::path_json and write out your JSON logs into a different directory.
For this you could setup a cron job or something to expire files using a
different interval than you configured for the default logs.
More information about the Bro