[Bro] Append instead of overwrite

James Lay jlay at slave-tothe-box.net
Sat Aug 23 04:43:54 PDT 2014 

On Thu, 2014-08-21 at 17:07 -0500, Daniel Thayer wrote:

> On 08/21/2014 04:13 PM, James Lay wrote:
> > On 2014-08-21 13:36, Daniel Thayer wrote:
> >> On 08/15/2014 01:13 PM, Seth Hall wrote:
> >>>
> >>> On Aug 15, 2014, at 11:53 AM, James Lay <jlay at slave-tothe-box.net>
> >>> wrote:
> >>>
> >>>> To give me an option to append instead of overwrite.  I imagine
> >>>> that
> >>>> since broctl does all the file management that this could be a
> >>>> command
> >>>> line option...
> >>>
> >>> Ah!  You just want to have file management (and perhaps full
> >>> rotation?) added as a standalone script and not something that is
> >>> added by broctl?
> >>>
> >>> Johanna is right that with our current logging scheme we can't
> >>> really append log files for multiple reasons but I could certainly
> >>> pull together something that would give you decent log rotation
> >>> without running broctl.
> >>>
> >>>     .Seth
> >>>
> >>
> >> To get basic log rotation working without running broctl, you only
> >> need to add this in one of your Bro scripts:
> >>
> >> redef Log::default_rotation_interval = 3600 secs;
> >>
> >> However, that does not compress the rotated logs, and it will not
> >> move them to another directory.  If you want those features, then
> >> you need to have broctl installed, and you need to add this line
> >> also:
> >>
> >> redef Log::default_rotation_postprocessor_cmd = "archive-log";
> >>
> >> The "archive-log" script will be executed by Bro (so it either needs
> >> to be in Bro's PATH or you need to give the pathname).
> >>
> >> In order to get the archive-log script to work, you need to
> >> edit broctl.cfg as needed and run "broctl install".  Then start Bro
> >> manually and when Bro runs archive-log it should have all the
> >> info it needs.
> >
> > Yea so I lied I tested this already :D  This works really well.  I'm
> > assuming that the number of seconds in "redef 3600 secs" and
> > "LogRotationInterval = 3600" in broctl.conf have to match up.  And as I
> 
> 
> Those values don't really need to match (but it might be best to
> keep them in sync just to avoid confusion).  Since you're not
> starting Bro with broctl, then the only broctl config options
> that will be used are the ones that the archive-log script uses
> (you can look in that script to see which variables it uses,
> if you're curious).
> 
> 
> > But after that it ran like a champ.  My last question is if I have
> > these rotate every 24 hours, if I say...start this at 15:00, will it
> > rotate at 15:00?  Thank you.
> >
> > James
> 
> In that case I think it will rotate at midnight.


FYI...this absolutely rotated at midnight...which is just
perfect...thanks again.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140823/5ecba51c/attachment.html

More information about the Bro mailing list