[Bro] Append instead of overwrite

James Lay jlay at slave-tothe-box.net
Thu Aug 21 15:29:21 PDT 2014 

On 2014-08-21 16:07, Daniel Thayer wrote:
> On 08/21/2014 04:13 PM, James Lay wrote:
>> On 2014-08-21 13:36, Daniel Thayer wrote:
>>> On 08/15/2014 01:13 PM, Seth Hall wrote:
>>>>
>>>> On Aug 15, 2014, at 11:53 AM, James Lay <jlay at slave-tothe-box.net>
>>>> wrote:
>>>>
>>>>> To give me an option to append instead of overwrite.  I imagine
>>>>> that
>>>>> since broctl does all the file management that this could be a
>>>>> command
>>>>> line option...
>>>>
>>>> Ah!  You just want to have file management (and perhaps full
>>>> rotation?) added as a standalone script and not something that is
>>>> added by broctl?
>>>>
>>>> Johanna is right that with our current logging scheme we can't
>>>> really append log files for multiple reasons but I could certainly
>>>> pull together something that would give you decent log rotation
>>>> without running broctl.
>>>>
>>>>     .Seth
>>>>
>>>
>>> To get basic log rotation working without running broctl, you only
>>> need to add this in one of your Bro scripts:
>>>
>>> redef Log::default_rotation_interval = 3600 secs;
>>>
>>> However, that does not compress the rotated logs, and it will not
>>> move them to another directory.  If you want those features, then
>>> you need to have broctl installed, and you need to add this line
>>> also:
>>>
>>> redef Log::default_rotation_postprocessor_cmd = "archive-log";
>>>
>>> The "archive-log" script will be executed by Bro (so it either 
>>> needs
>>> to be in Bro's PATH or you need to give the pathname).
>>>
>>> In order to get the archive-log script to work, you need to
>>> edit broctl.cfg as needed and run "broctl install".  Then start Bro
>>> manually and when Bro runs archive-log it should have all the
>>> info it needs.
>>
>> Yea so I lied I tested this already :D  This works really well.  I'm
>> assuming that the number of seconds in "redef 3600 secs" and
>> "LogRotationInterval = 3600" in broctl.conf have to match up.  And 
>> as I
>
>
> Those values don't really need to match (but it might be best to
> keep them in sync just to avoid confusion).  Since you're not
> starting Bro with broctl, then the only broctl config options
> that will be used are the ones that the archive-log script uses
> (you can look in that script to see which variables it uses,
> if you're curious).
>
>
>> But after that it ran like a champ.  My last question is if I have
>> these rotate every 24 hours, if I say...start this at 15:00, will it
>> rotate at 15:00?  Thank you.
>>
>> James
>
> In that case I think it will rotate at midnight.

That's beautiful...thanks so much Daniel!

James

More information about the Bro mailing list