[Bro] bro logging gzip

John Edwards jedwards2728 at gmail.com
Sun Oct 30 21:41:51 PDT 2016


I have configured /opt/bro/etc/broctl.cfg  LogRotationInterval = 1800 due
to the default 3600 was causing too much data to be rotated and causing CPU
spikes and dropped packets.

Since i have changed the interval to be 1800 i am noticing in my log
directory every protocol log is logging from 00:00- 00:30 and then the next
log is 00:00 - 01:00 so it seems both the 30minutes that i have defined to
log and also the default 1 hour log is being logged also.

This seems weird to me as it wasnt doing this when i first installed bro..
What process or sub process handles the gzip component of logs from the
spool?


Also on another standalone worker i converted from ASCII to JSON as its
going straight into our Splunk siem. Now JSON data is being logged for
multiple days at a time in the current directory and not gzipping to the
directory every half an hour like i have defined.  The way i have got it to
gzip is to deploy a config change and it gracefully shut down and start
again, this causes the post processer to write to disk but while the daemon
is running configured to output as json it doesnt log rotate correctly. Has
anyone else run into this issue?

Cheers,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161031/baa23e41/attachment.html 


More information about the Bro mailing list