[Bro] delay compress bro log rotation
Johanna Amann
johanna at icir.org
Fri Feb 26 09:23:48 PST 2016
Hello Brandon,
On Fri, Feb 19, 2016 at 04:06:48PM -0800, Brandon Glaze wrote:
> Is there a way to enable a "delay compress" type command (like in
> logrotate) for bro/broctl cron? I want to post process log files and it
> would be much more efficient if they were uncompressed.
As far as I am aware, there is no command that delays compression of the
logs. However, you should be able to install custom postprocessing scripts
into broctl, which will be run on the uncompressed log files - this is how
the default connection summary reports are generated.
I never tried this, but I think you should just be able to add a script to
the "postprocessors" directory in broctl, and it should be called on
log-rotation for every log-file. You can use the implementation of the
script that generates the connection summary as a guideline on how to
implement this:
https://github.com/bro/broctl/tree/master/bin/postprocessors
I hope this helps,
Johanna
More information about the Bro
mailing list