[Bro] BroControl config to delete instead of archive on rotation
Josh Liburdi
liburdi.joshua at gmail.com
Fri May 26 08:06:51 PDT 2017
Thanks for the feedback everyone.
Somewhat on this topic, have you guys ever thought about adding a socket
writer (logging via the network) to Bro? That would be the most efficient
way of minimizing disk I/O.
On Thu, May 25, 2017 at 6:19 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
> > On May 25, 2017, at 3:52 PM, Daniel Thayer <dnthayer at illinois.edu>
> wrote:
> >
> > On 5/25/17 2:07 PM, Vlad Grigorescu wrote:
> >> I don't, but you could try just changing broctl.cfg: CompressCmd = rm
> >>
> >> Which really is just (very) lossy compression... :-)
> >>
> >
> > Doing that would result in an archived log file of zero length.
> > To truly delete the log would currently require modifications
> > to the archive-log script.
>
> I think we already support this, it just was never intended to be used for
> this purpose:
>
> The archive-log script does this:
>
> # Run other postprocessors.
> if [ -d "${postprocdir}" ]; then
> for pp in "${postprocdir}"/*; do
> nice "$pp" $@
> done
> fi
>
> # Test if the log still exists in case one of the postprocessors archived
> it.
> if [ ! -f $file_name ]; then
> exit 0
> fi
>
> So I think all one needs to do is
>
> ln -s /bin/rm /usr/local/bro/share/broctl/scripts/postprocessors/rm
>
> --
> - Justin Azoff
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170526/d2db7e79/attachment-0001.html
More information about the Bro
mailing list