[Bro] recipe for log rotating?

Tim Rupp tarupp at fnal.gov
Tue Nov 16 08:28:20 PST 2010 

Well, right now I'm just using straight bro (the binary) because I'm in 
the middle of debugging a script, but ultimately it will move to brocontrol.

I have only limited experience with BroControl at this point though (I 
ran it and started a script) I haven't experienced BroControl's handling 
of log files yet.

I guess I'm just looking to simulate what regular old linux does with 
logs and logrotate; everything goes into one directory, or a subset of 
that one directory (for instance httpd logs in the subdirectory 
/var/log/httpd/) and then logrotate coming around and making .1, .2, etc 
at some interval.

It'd be equally acceptable to me if I could just change the bro log file 
name to not be a timestamp, and then have logrotate work like it does 
naturally.

Can I redef the build_name function in rotate logs and just return a 
string like "messages" and then bro would create a regular file called 
"messages" without the extra timestamp text, filename suffix, etc??

If I were to let logrotate handle rotating of the bro log, I'd also want 
to tell bro to never rotate it's own file, and then in the logrotate 
config specify "copytruncate" to prevent bro from losing any open 
handles to it's log file right?

I approached the log rotate question as a function of bro, but maybe in 
my case I would be happy with what I described above?

-Tim

Seth Hall wrote:
> On Nov 16, 2010, at 10:09 AM, Tim Rupp wrote:
> 
>> Hi folks,
>>
>> I was wondering if anyone had a recipe for changing the log rotate
>> script to rotate bro logs like regular log rotate does
>>
>> notice.log
>> notice.log.1
>> notice.log.2
>> notice.log.3
> 
> I'm thinking about how to implement this, but I had some questions.  Are you using BroControl so your logs are being put into directories by day?  How do you see these log names working in that context?  Would each day have logs named like: *.0, *.2, *.3, ..., *.23?
> 
> Or are you asking about creating logs named this way outside of the context of BroControl?
> 
>   .Seth

More information about the Bro mailing list