[Bro] redef LogExpireInterval with JSON log writer?
Seth Hall
seth at corelight.com
Fri Mar 16 12:39:51 PDT 2018
On 16 Mar 2018, at 14:09, Drew Dixon wrote:
> I see you're keeping iterations of the json_streaming versions of the
> logs around in the event a log shipper process or some process is
> still attached to the inode and that the creation of the .1, .2, json
> logs probably keys off the custom rotation interval (15 min) from what
> I can tell, which makes sense to me. Aside from that, in my testing
> I see that json_streaming logs are in fact being archived along with
> the default tab delimited logs so I'm assuming that as it stands now
> the json_streaming .gz
Oh! That's a bug then. I was bad an never ended up running that script
on a full cluster with Broctl, sorry about that. I'll do some more
testing because that archiving was not the intent. :(
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro
mailing list