[Bro] Append instead of overwrite

James Lay jlay at slave-tothe-box.net
Thu Aug 21 14:13:25 PDT 2014 

On 2014-08-21 13:36, Daniel Thayer wrote:
> On 08/15/2014 01:13 PM, Seth Hall wrote:
>>
>> On Aug 15, 2014, at 11:53 AM, James Lay <jlay at slave-tothe-box.net> 
>> wrote:
>>
>>> To give me an option to append instead of overwrite.  I imagine 
>>> that
>>> since broctl does all the file management that this could be a 
>>> command
>>> line option...
>>
>> Ah!  You just want to have file management (and perhaps full 
>> rotation?) added as a standalone script and not something that is 
>> added by broctl?
>>
>> Johanna is right that with our current logging scheme we can't 
>> really append log files for multiple reasons but I could certainly 
>> pull together something that would give you decent log rotation 
>> without running broctl.
>>
>>    .Seth
>>
>
> To get basic log rotation working without running broctl, you only
> need to add this in one of your Bro scripts:
>
> redef Log::default_rotation_interval = 3600 secs;
>
> However, that does not compress the rotated logs, and it will not
> move them to another directory.  If you want those features, then
> you need to have broctl installed, and you need to add this line 
> also:
>
> redef Log::default_rotation_postprocessor_cmd = "archive-log";
>
> The "archive-log" script will be executed by Bro (so it either needs
> to be in Bro's PATH or you need to give the pathname).
>
> In order to get the archive-log script to work, you need to
> edit broctl.cfg as needed and run "broctl install".  Then start Bro
> manually and when Bro runs archive-log it should have all the
> info it needs.

Yea so I lied I tested this already :D  This works really well.  I'm 
assuming that the number of seconds in "redef 3600 secs" and 
"LogRotationInterval = 3600" in broctl.conf have to match up.  And as I 
have bro symlinked to /usr/local/bin/bro I also had to symlink:

lrwxrwxrwx 1 root root      47 Aug 21 14:24 /usr/local/bin/archive-log 
-> /usr/local/bro/share/broctl/scripts/archive-log
lrwxrwxrwx 1 root root      52 Aug 21 14:38 
/usr/local/bin/broctl-config.sh -> 
/usr/local/bro/share/broctl/scripts/broctl-config.sh

But after that it ran like a champ.  My last question is if I have 
these rotate every 24 hours, if I say...start this at 15:00, will it 
rotate at 15:00?  Thank you.

James

More information about the Bro mailing list