[Bro] Question on log rotation
Eric Ooi
ericooi at gmail.com
Thu Dec 19 17:45:27 PST 2013
I’ve noticed this before on Bro 2.1. I ended up writing a quick python script and configured it as an hourly cron job to complete the compression and move. I’ve attached it here. Hope this helps.
Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bro_missed_rotate.py
Type: text/x-python-script
Size: 2101 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131219/2b1d2873/attachment.bin
-------------- next part --------------
On Dec 19, 2013, at 5:57 PM, Gary Faulkner <gary at doit.wisc.edu> wrote:
> I had a situation where log rotation and post-processing (summary emails) were not completing. New logs would get started and each previous hour's logs renamed, but not get compressed and moved, which means that many of the previous logs were still in /current (or are they really in <path-to-bro>/spool/manager?). In any case upon stopping bro via broctl it appears that only the most current log got processed and archived while all of the logs in between that never got processed seem to simply have gotten deleted. Are those logs simply lost or somewhere other than the dated archive folder and /current folder? If so, is this expected behavior, or is there normally something that would check to see if previous logs failed to rotate out?
>
> Regards,
>
> --
> Gary Faulkner
> UW Madison
> Office of Campus Information Security
> 608-262-8591
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list