[Bro] log rotation leaving conn.log unrotated

Daniel Thayer dnthayer at illinois.edu
Mon Apr 27 11:34:52 PDT 2015


On 04/27/2015 10:41 AM, Frank Meier wrote:
> Hi.
>
> Before I ask yet another question, I wanted to say thanks to all who
> helped me
> during the last weeks. :) All tips where very helpful and fast! I hope I
> can repay
> for this by contributing in the future.
>
> I have this simple bro file:
>
> redef Log::default_rotation_postprocessor_cmd = "./postrotate.sh";
> redef Log::default_rotation_interval = 10 sec;
>
> with postrotate.sh just printing the parameters:
>
> #!/bin/sh
> echo "-1-"
> echo $1
> echo $2
> echo $3
> echo $4
> echo $5
> echo $6
> echo "-2-"
>
> Now when bro is terminated via CTRL-C, the script is called:
> 1430147916.038582 received termination signal
> 1430147916.038582 1865 packets received on interface eth0, 45 dropped
>
> -1-
> files.2015-04-27-17-18-30.log
> files
> 15-04-27_17.18.30
> 15-04-27_17.18.36
> 1
> ascii
> -2-
> -1-
> http.2015-04-27-17-18-30.log
> http
> 15-04-27_17.18.30
> 15-04-27_17.18.36
> 1
> ascii
> -2-
> -1-
> weird.2015-04-27-17-18-30.log
> weird
> 15-04-27_17.18.30
> 15-04-27_17.18.36
> 1
> ascii
> -2-
> -1-
> conn.2015-04-27-17-18-30.log
> conn
> 15-04-27_17.18.30
> 15-04-27_17.18.36
> 1
> ascii
> -2-
> -1-
> reporter.2015-04-27-17-18-36.log
> reporter
> 15-04-27_17.18.36
> 15-04-27_17.18.36
> 1
> ascii
> -2-
>
> After that there is still a conn.log around. Why is this file not rotated?
> When I restart bro now, the conn.log seems to be overwritten and
> entries for example in files.log reference a uid not found in any of
> the conn.logs.
>
> I could not figure out why rotation works for most of the logs, but
> not for conn.log.
>
> Franky

In your example, conn.log was rotated (the new filename was 
conn.2015-04-27-17-18-30.log).  The conn.log file you saw
after terminating Bro was most likely created in the short time span
between rotating conn.log and Bro termination.



More information about the Bro mailing list