[Bro] Bro Cluster Elasticsearch rotation_interval ignored
M K
mkhan04 at gmail.com
Tue Apr 29 08:40:20 PDT 2014
I'm testing out the ElasticSearch writer in a Bro Cluster (2.2 release)
along with the Ascii writer. I've set LogRotationInterval to an hour (3600)
in broctl.cfg which I know sets or overrides Log::default_rotation_interval
and in my local.bro I've overridden the rotation_interval parameter of the
ElasticSearch Logger (defined in logs-to-elasticsearch policy) to be every
24 hours. Apparently, Bro seems to be ignoring the rotation_interval value.
I've tried not setting LogRotationInterval and setting
Log::default_rotation_interval in my local.bro file but i got similar
results.
Is there anyway to have the Ascii writer use a 1hr rotation interval while
the ElasticSearch writer uses a different one? Looking through the
docs/code it doesn't look like LogAscii has a rotation_interval of its own.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140429/8822c8e2/attachment.html
More information about the Bro
mailing list