[Bro] Question on log rotation
Gary Faulkner
gary at doit.wisc.edu
Thu Dec 19 15:57:35 PST 2013
I had a situation where log rotation and post-processing (summary
emails) were not completing. New logs would get started and each
previous hour's logs renamed, but not get compressed and moved, which
means that many of the previous logs were still in /current (or are they
really in <path-to-bro>/spool/manager?). In any case upon stopping bro
via broctl it appears that only the most current log got processed and
archived while all of the logs in between that never got processed seem
to simply have gotten deleted. Are those logs simply lost or somewhere
other than the dated archive folder and /current folder? If so, is this
expected behavior, or is there normally something that would check to
see if previous logs failed to rotate out?
Regards,
--
Gary Faulkner
UW Madison
Office of Campus Information Security
608-262-8591
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6257 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131219/a383b6f7/attachment.bin
More information about the Bro
mailing list