[Zeek] Letting system handle log rotation

Mauricio Tavares raubvogel at gmail.com
Tue Apr 21 09:10:06 PDT 2020


On Tue, Apr 21, 2020 at 8:34 AM Mauricio Tavares <raubvogel at gmail.com> wrote:
>
> On Mon, Apr 20, 2020 at 8:30 AM Mauricio Tavares <raubvogel at gmail.com> wrote:
> >
> >       I have the system's syslog to do the log rotation, including
> > renaming, just the way I want. If I set LogRotationInterval = 0, would
> > zeek then let the system do its thing?
>
> Got it to work:
>
> [raub at testcentos log]$ sudo ls -lh /var/log/bro/old
> total 16M
> -rw-r--r-- 1 root root  14K Apr 21 03:39 capture_loss.log-20200421
> -rw-r--r-- 1 root root 3.6M Apr 21 03:39 communication.log-20200421
> -rw-r--r-- 1 root root 6.4M Apr 21 03:39 conn.log-20200421
> -rw-r--r-- 1 root root 970K Apr 21 03:39 dns.log-20200421
> -rw-r--r-- 1 root root 177K Apr 21 03:39 files.log-20200421
> -rw-r--r-- 1 root root 120K Apr 21 03:39 http.log-20200421
> -rw-r--r-- 1 root root  27K Apr 21 03:39 loaded_scripts.log-20200421
> -rw-r--r-- 1 root root  187 Apr 21 03:39 packet_filter.log-20200421
> -rw-r--r-- 1 root root  529 Apr 21 03:39 reporter.log-20200421
> -rw-r--r-- 1 root root  30K Apr 21 03:39 sip.log-20200421
> -rw-r--r-- 1 root root  24K Apr 21 03:39 ssl.log-20200421
> -rw-r--r-- 1 root root 118K Apr 21 03:39 stats.log-20200421
> -rw-r--r-- 1 root root  188 Apr 21 03:39 stdout.log-20200421
> -rw-r--r-- 1 root root  580 Apr 21 03:39 top_dns.log-20200421
> -rw-r--r-- 1 root root 3.8M Apr 21 03:39 weird.log-20200421
> [raub at testcentos log]$ sudo ls -lh /var/log/bro/current
> total 12M
> -rw-r--r-- 1 root root  22K Apr 21 12:13 capture_loss.log
> -rw-r--r-- 1 root root 5.7M Apr 21 12:22 communication.log
> -rw-r--r-- 1 root root  11M Apr 21 12:22 conn.log
> -rw-r--r-- 1 root root 1.6M Apr 21 12:22 dns.log
> -rw-r--r-- 1 root root 283K Apr 21 12:22 files.log
> -rw-r--r-- 1 root root 191K Apr 21 12:22 http.log
> -rw-r--r-- 1 root root    0 Apr 21 03:39 loaded_scripts.log
> -rw-r--r-- 1 root root  784 Apr 20 20:42 notice.log
> -rw-r--r-- 1 root root    0 Apr 21 03:39 packet_filter.log
> -rw-r--r-- 1 root root    0 Apr 21 03:39 reporter.log
> -rw-r--r-- 1 root root  42K Apr 21 12:03 sip.log
> -rw-r--r-- 1 root root  36K Apr 21 12:21 ssl.log
> -rw-r--r-- 1 root root 190K Apr 21 12:19 stats.log
> -rw-r--r-- 1 root root    0 Apr 20 13:28 stderr.log
> -rw-r--r-- 1 root root    0 Apr 21 03:39 stdout.log
> -rw-r--r-- 1 root root    0 Apr 21 03:39 top_dns.log
> -rw-r--r-- 1 root root 6.1M Apr 21 12:22 weird.log
> -rw-r--r-- 1 root root 1.3K Apr 21 02:26 x509.log
> [raub at testcentos log]$

But now I broke mail summary:

# Mail connection summary reports each log rotation interval.  A value of 1
# means mail connection summaries, and a value of 0 means do not mail
# connection summaries.  This option has no effect if the trace-summary
# script is not available.
MailConnectionSummary = 1


More information about the Zeek mailing list