[Bro] redef LogExpireInterval with JSON log writer?
Drew Dixon
dwdixon at umich.edu
Mon Mar 19 09:48:40 PDT 2018
Thank you Jan and Seth,
Jan I might try that in the meantime which is what I was originally
thinking. Ideally I'd like the JSON logs to never get archived though
then I don't have to worry about maintaining another cleanup process/script.
Seth, thank you much for doing some more testing on a full cluster with
broctl, if you can sort out the bug with the JSON logs getting archived
when they were not intended to be I think I'll be all set to deploy your
json-streaming-logs : )
-Drew
On Fri, Mar 16, 2018 at 3:39 PM, Seth Hall <seth at corelight.com> wrote:
>
>
> On 16 Mar 2018, at 14:09, Drew Dixon wrote:
>
> I see you're keeping iterations of the json_streaming versions of the logs
>> around in the event a log shipper process or some process is still attached
>> to the inode and that the creation of the .1, .2, json logs probably keys
>> off the custom rotation interval (15 min) from what I can tell, which makes
>> sense to me. Aside from that, in my testing I see that json_streaming logs
>> are in fact being archived along with the default tab delimited logs so I'm
>> assuming that as it stands now the json_streaming .gz
>>
>
> Oh! That's a bug then. I was bad an never ended up running that script
> on a full cluster with Broctl, sorry about that. I'll do some more testing
> because that archiving was not the intent. :(
>
>
> .Seth
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180319/782d96b3/attachment.html
More information about the Bro
mailing list