[Bro] Odd log problem - logs get archived as empty

Benjamin Wood ben.bt.wood at gmail.com
Fri Mar 7 14:11:09 PST 2014


Please don't use that "script" James posted. (No offense.) You'll lose data
for the time that bro is off. (Maybe you wont care. Maybe you will.)

I wouldn't recommend killing a process just to rotate it's log, as was
suggested.

If you must "roll your own" logs, I'd recommend logrotate (add a config in
/etc/logrotate.d/). That's what it is there for. Short of that you can
rotate your own logs using some kind of copy-truncate or copy-rm procedure.
But be careful of the many gotcha's in writing your own, one of which is
avoiding data loss.

Easiest thing is stick with broctl or logrotate.

~Ben


On Fri, Mar 7, 2014 at 1:43 PM, James Lay <jlay at slave-tothe-box.net> wrote:

> On 2014-03-07 11:02, Justin Azoff wrote:
> > On Fri, Mar 07, 2014 at 05:49:59PM +0000, Jeremy Hoel wrote:
> >> Plus, the 'broctl config' knew about the commands, but they weren't
> >> in the .sh
> >> file.  So I'm not sure how/why that was different. But that is
> >> probably totally
> >> be me not knowing how Bro works in detail.
> >
> > The why would be: 'broctl install' was not ran after upgrading bro.
> >
> >> I'm just helpful for the quick response of this list and that it
> >> wasn't
> >> something simple that I had missed.
> >
> >
> > Looks like there are things that can be done in broctl to check for
> > this, but in the future just running broctl install after an ugprade
> > will make this not happen again.
>
> You can also roll your own...in a cron job at say 23:58 (you lose the
> email stats without broctl however)
>
> #!/bin/bash
> killall bro
> mkdir /media/backup/bro/logarchive/`date --date=today +%m-%d-%Y`
> mv /media/backup/bro/current/*.log /media/backup/bro/logarchive/`date
> --date=today +%m-%d-%Y`
> cd /media/backup/bro/logarchive/`date --date=today +%m-%d-%Y`
> /usr/local/bin/gz.pl
> cd /media/backup/bro/current
> /usr/local/bin/startbro
> exit
>
>
> cat /usr/local/bin/gz.pl
>
> #!/usr/bin/perl
> @zips = `ls *.log | more`;
> foreach (@zips) {
> system("gzip $_");
> }
> exit;
>
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140307/8bd6349a/attachment.html 


More information about the Bro mailing list