[Bro] redef LogExpireInterval with JSON log writer?
Seth Hall
seth at corelight.com
Thu Mar 15 14:48:33 PDT 2018
On 15 Mar 2018, at 15:27, Drew Dixon wrote:
> Is a redef-able option for the log expire interval something that
> might be added in a future version of bro? Is there a way to do this
> now that I'm just missing? Is LogExpireInterval only available for
> broctl/broctl.cfg?
What you set with broctl is just the global filter. If you look at the
json-streaming-logs package (link included below), you can see that I'm
setting a custom rotation interval separately from the global default
rotation interval. If you are looking to duplicate logging, you're
going to be doing something similar to what json-streaming-logs is
doing. I'm curious if json-streaming-logs doesn't do what you need to.
It's possible that if what you need conceptually fits into that package
I could just add it there.
From how you described your problem, it sounds like json-streaming-logs
might already do what you need?
Here's the link to how I'm setting a custom rotation interval for a log
filter that I referenced above:
https://github.com/corelight/json-streaming-logs/blob/master/scripts/main.bro#L72
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro
mailing list