[Bro] log rotation leaving conn.log unrotated
Frank Meier
franky.meier.1 at gmx.de
Tue Apr 28 01:46:10 PDT 2015
hi,
On Mo, Apr 27, 2015 at 8:34 , Daniel Thayer <dnthayer at illinois.edu>
wrote:
>
> In your example, conn.log was rotated (the new filename was
> conn.2015-04-27-17-18-30.log). The conn.log file you saw
> after terminating Bro was most likely created in the short time span
> between rotating conn.log and Bro termination.
I think there is more to this. If repeat the following steps I do loose
some entries in conn.log:
1) start bro
2) produce some traffic
3) stop bro via CTRL-C
4) restart bro
5) wait for log rotation
6) stop bro via CTRL-C
grep for conn_uids from files.log. For some entries in files.log there
will be no match in any
of the conn.logs. My workaround for now is to append the stale
conn.log to the last rotated log on shutdown:
file_name=$1
base_name=$2
from=$3
to=$4
terminating=$5
writer=$6
echo "[+] LOG: Rotating $file_name (base: $base_name, from: $from, to:
$to, terminating: $terminating, writer: $writer)"
if [ $terminating -eq 1 -a -f $base_name.log ]; then
echo "terminating. appending stale $base_name.log "
# cut timestamp
head -n-1 $file_name > $file_name.tmp
mv $file_name.tmp $file_name
# cut header
tail -n +9 $base_name.log >> $file_name
mv $base_name.log done.log
fi
I don't have the time right now, but I will look further into this.
Franky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150428/9674a745/attachment.html
More information about the Bro
mailing list