On 08/15/2014 01:13 PM, Seth Hall wrote:
On Aug 15, 2014, at 11:53 AM, James Lay <jlay(a)slave-tothe-box.net>
To give me an option to append instead of
overwrite. I imagine
since broctl does all the file management that this could be a
Ah! You just want to have file management (and perhaps full
rotation?) added as a standalone script and not something that is
added by broctl?
Johanna is right that with our current logging scheme we can't
really append log files for multiple reasons but I could certainly
pull together something that would give you decent log rotation
without running broctl.
To get basic log rotation working without running broctl, you only
need to add this in one of your Bro scripts:
redef Log::default_rotation_interval = 3600 secs;
However, that does not compress the rotated logs, and it will not
move them to another directory. If you want those features, then
you need to have broctl installed, and you need to add this line
redef Log::default_rotation_postprocessor_cmd = "archive-log";
The "archive-log" script will be executed by Bro (so it either needs
to be in Bro's PATH or you need to give the pathname).
In order to get the archive-log script to work, you need to
edit broctl.cfg as needed and run "broctl install". Then start Bro
manually and when Bro runs archive-log it should have all the
info it needs.
Yea so I lied I tested this already :D This works really well. I'm
assuming that the number of seconds in "redef 3600 secs" and
"LogRotationInterval = 3600" in broctl.conf have to match up. And as I
have bro symlinked to /usr/local/bin/bro I also had to symlink:
lrwxrwxrwx 1 root root 47 Aug 21 14:24 /usr/local/bin/archive-log
lrwxrwxrwx 1 root root 52 Aug 21 14:38
But after that it ran like a champ. My last question is if I have
these rotate every 24 hours, if I say...start this at 15:00, will it
rotate at 15:00? Thank you.