[Bro] Append instead of overwrite

Daniel Thayer dnthayer at illinois.edu
Thu Aug 21 15:07:00 PDT 2014 

On 08/21/2014 04:13 PM, James Lay wrote:
> On 2014-08-21 13:36, Daniel Thayer wrote:
>> On 08/15/2014 01:13 PM, Seth Hall wrote:
>>>
>>> On Aug 15, 2014, at 11:53 AM, James Lay <jlay at slave-tothe-box.net>
>>> wrote:
>>>
>>>> To give me an option to append instead of overwrite.  I imagine
>>>> that
>>>> since broctl does all the file management that this could be a
>>>> command
>>>> line option...
>>>
>>> Ah!  You just want to have file management (and perhaps full
>>> rotation?) added as a standalone script and not something that is
>>> added by broctl?
>>>
>>> Johanna is right that with our current logging scheme we can't
>>> really append log files for multiple reasons but I could certainly
>>> pull together something that would give you decent log rotation
>>> without running broctl.
>>>
>>>     .Seth
>>>
>>
>> To get basic log rotation working without running broctl, you only
>> need to add this in one of your Bro scripts:
>>
>> redef Log::default_rotation_interval = 3600 secs;
>>
>> However, that does not compress the rotated logs, and it will not
>> move them to another directory.  If you want those features, then
>> you need to have broctl installed, and you need to add this line
>> also:
>>
>> redef Log::default_rotation_postprocessor_cmd = "archive-log";
>>
>> The "archive-log" script will be executed by Bro (so it either needs
>> to be in Bro's PATH or you need to give the pathname).
>>
>> In order to get the archive-log script to work, you need to
>> edit broctl.cfg as needed and run "broctl install".  Then start Bro
>> manually and when Bro runs archive-log it should have all the
>> info it needs.
>
> Yea so I lied I tested this already :D  This works really well.  I'm
> assuming that the number of seconds in "redef 3600 secs" and
> "LogRotationInterval = 3600" in broctl.conf have to match up.  And as I


Those values don't really need to match (but it might be best to
keep them in sync just to avoid confusion).  Since you're not
starting Bro with broctl, then the only broctl config options
that will be used are the ones that the archive-log script uses
(you can look in that script to see which variables it uses,
if you're curious).


> But after that it ran like a champ.  My last question is if I have
> these rotate every 24 hours, if I say...start this at 15:00, will it
> rotate at 15:00?  Thank you.
>
> James

In that case I think it will rotate at midnight.

More information about the Bro mailing list