[Bro] Bro 2.5 and log rotation
James Lay
jlay at slave-tothe-box.net
Thu Dec 22 05:49:47 PST 2016
I guess I'm in this boat as well. Since my upgrade, bro will stop
rotating logs at some point. I'm not running bro via broctl. Here's
my process for log rotation:
local.bro:
redef Log::default_rotation_interval = 86400 secs;
redef Log::default_rotation_postprocessor_cmd = "archive-log";
broctl.cfg:
LogRotationInterval = 86400
sudo /usr/local/bro/bin/broctl install
sudo ln -s /usr/local/bro/share/broctl/scripts/archive-log
/usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/broctl-config.sh
/usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/make-archive-name
/usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/expire-logs
/usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/delete-log
/usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/cflow-stats
/usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/stats-to-csv
/usr/local/bin/
This will work for a while. But at some point it stops:
at the core I believe it's because bro, after sometime, won't respond
to a "normal" kill command. A "sudo killall bro" will do nothing.
Usually I'll "sudo killall bro", wait a minute, and then my spool
directory will be empty, I'll have an email with stats, and I'll have
my new archive directory. I'll have to -9 it in order to get it to
stop, I've restarted this morning and will see how many days it will
go. Thank you.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161222/ce4362ce/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2016-12-22 05-58-45.png
Type: image/png
Size: 59878 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161222/ce4362ce/attachment-0001.bin
More information about the Bro
mailing list