[Bro] local.bro causing memory leak

Seth Hall seth at corelight.com
Tue Mar 20 11:50:20 PDT 2018



On 19 Mar 2018, at 15:31, Benjamin Wood wrote:

> I'm running my cluster with broctl, and rotation is turned off because 
> I'm
> naming files with a timestamp to begin with.

Justin got your problem right.  If you turn off file rotation, then Bro 
is never closing any of these hourly logs.  You have to be really 
careful with how you use $path_func because you can easily get yourself 
into hot water.

Alternately you need to define a rotation interval and post processor.  
Something like this...

<i also trimmed out some of your code>

```bro
function my_log_post_processor(info: Log::RotationInfo): bool
	{
	local ext = sub(info$fname, 
/^[^\-]+-[0-9]+-[0-9]+-[0-9]+_[0-9]+\.[0-9]+\.[0-9]+\./, "");

	# Move file to name including both opening and closing time.
	local dst = fmt("%s_%s_%s-%s.%s", info$path, strftime("%Y%m%d", 
info$open),
	                                             strftime("%H:%M:%S", 
info$open),
	                                             strftime("%H:%M:%S%z", 
info$close),
	                                             ext);
	local cmd = fmt("/bin/mv %s %s/%s", info$fname, "/data/logs", dst);
	system(cmd);

	return T;
	}

event bro_init()
	{
	for ( id in Log::active_streams )
		{
		local filter = Log::get_filter(id, "default");
		filter$interv = 1hr;
		filter$postprocessor = my_log_post_processor;
		Log::add_filter(id, filter);
		}
	}
```

Something like that will enable you to turn off log rotation in broctl 
(but you'll lose some broctl niceties as well).

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180320/c3abcf9b/attachment.html 


More information about the Bro mailing list