[Bro] Append instead of overwrite
James Lay
jlay at slave-tothe-box.net
Thu Aug 21 12:57:16 PDT 2014
On 2014-08-21 13:36, Daniel Thayer wrote:
> On 08/15/2014 01:13 PM, Seth Hall wrote:
>>
>> On Aug 15, 2014, at 11:53 AM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>
>>> To give me an option to append instead of overwrite. I imagine
>>> that
>>> since broctl does all the file management that this could be a
>>> command
>>> line option...
>>
>> Ah! You just want to have file management (and perhaps full
>> rotation?) added as a standalone script and not something that is
>> added by broctl?
>>
>> Johanna is right that with our current logging scheme we can't
>> really append log files for multiple reasons but I could certainly
>> pull together something that would give you decent log rotation
>> without running broctl.
>>
>> .Seth
>>
>
> To get basic log rotation working without running broctl, you only
> need to add this in one of your Bro scripts:
>
> redef Log::default_rotation_interval = 3600 secs;
>
> However, that does not compress the rotated logs, and it will not
> move them to another directory. If you want those features, then
> you need to have broctl installed, and you need to add this line
> also:
>
> redef Log::default_rotation_postprocessor_cmd = "archive-log";
>
> The "archive-log" script will be executed by Bro (so it either needs
> to be in Bro's PATH or you need to give the pathname).
>
> In order to get the archive-log script to work, you need to
> edit broctl.cfg as needed and run "broctl install". Then start Bro
> manually and when Bro runs archive-log it should have all the
> info it needs.
Excellent...thanks so much Daniel...I will start testing that out this
weekend.
James
More information about the Bro
mailing list