[Bro] is there a standars config option for pruning historical logs?

Justin Azoff JAzoff at albany.edu
Mon Oct 21 08:31:23 PDT 2013


On Thu, Oct 17, 2013 at 02:49:33PM +1300, Russell Fulton wrote:
> Yes, I know it is trivial but if there is a built in way to do it I would rather use it!  That way when someone changes the log directory between release it keeps working ;)
> 
> I am putting much of the data into elsa so there isn't much point in keeping it hanging around in bro-logs for long.
> 

In addition to the options you found another option is to use cron jobs
to have per log file retention periods.  I do something like this:

    @daily root find /usr/local/bro/logs/ -name 'http*' -mtime +6 | xargs rm -f
    @daily root find /usr/local/bro/logs/ -name 'ftp.*' -mtime +6 | xargs rm -f

to only keep http and ftp logs for a week.  Once the 'big' log files are
removed a days logs are < 100M instead of 10G

-- 
-- Justin Azoff
-- Network Security & Performance Analyst



More information about the Bro mailing list