[Bro] redef LogExpireInterval with JSON log writer?
Drew Dixon
dwdixon at umich.edu
Thu Mar 15 12:27:45 PDT 2018
I'd like to switch to writing both tab-delimited logs and JSON logs with my
smaller bro cluster, but I would like the JSON logs to expire and get
removed at a much shorter "LogExpireInterval" than my tab delimited logs.
I see this is possible with the add-json package...
I've looked at both J-Gras' add-json and Seth's json-streaming-logs (both
are great) but I've been looking more at add-json since it seems like it's
more along the lines of what I was thinking and I see I can set the
rotation interval for the JSON writer by redefining the
Log::default_rotation_interval option but I don't see a way to extend
add-json with a redef-able option for the log expire interval?
I also realize I could probably just script this with a shell script or
python script to remove the archived JSON logs by leveraging the shorter
rotation interval for JSON logs but I thought it would be nice to do right
in the add-json package script.
Is a redef-able option for the log expire interval something that might be
added in a future version of bro? Is there a way to do this now that I'm
just missing? Is LogExpireInterval only available for broctl/broctl.cfg?
https://www.bro.org/sphinx-git/scripts/base/frameworks/logging/main.bro.html#id-Log::default_rotation_interval
https://www.bro.org/sphinx-git/frameworks/logging.html#rotation
-Drew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180315/0aca5678/attachment.html
More information about the Bro
mailing list