[Bro] Feature Request: Append

James Lay jlay at slave-tothe-box.net
Wed Oct 5 05:35:49 PDT 2016 

On Wed, 2016-10-05 at 08:17 -0400, Seth Hall wrote:
> > 
> > On Sep 29, 2016, at 6:53 PM, James Lay <jlay at slave-tothe-box.net>
> > wrote:
> > 
> > I know I've brought this up before, but I was going to put this in
> > on 
> > the github but that feature isn't enabled.
> > 
> > I know a lot of people just use broctl and be done with it, but I
> > just 
> > use it via command line most of the time.  It would REALLY be nice
> > have 
> > a command line switch to not overwrite log files and just append
> > to 
> > existing files.  Thank you.
> Yeah, this has been a bit of an unfortunate change.  When we switched
> to the current logging format in 2.0, we changed the logging so you
> couldn't do append because the ascii writer in the default "bro log
> format" wants to put the header and footer in place.  If the format
> of the logs changes between restarts the content wouldn't even be
> consistent (i.e., column offsets could change or be renamed).
> 
> This request may be an early sign that we need to consider a bit of
> overhaul to the default writers in 2.6.  The ascii writer is sort of
> overloaded by doing the "bro log format" and JSON logging, the JSON
> logging doesn't provide any indication of the structure of the logs
> being provided, you can't append with the ascii writer as you've
> indicated (although, if we had a dedicated json logger then it might
> make more sense to have an append mode).  Definitely some issues to
> think about.
>   
>   .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
Thanks Seth.  Truth be told it wouldn't bother me one bit if the
headers were written again...they're all prefaced with "#" anyways.
 Just to have it not create a new file and append to the current if it
exists is all I'd really like to see at some point.  And personally I
love the ascii...makes it so easy to quickly search ☺  Anyway thanks
for looking at this.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161005/d973c7ee/attachment.html

More information about the Bro mailing list