On Fri, Feb 19, 2016 at 04:06:48PM -0800, Brandon Glaze wrote:
Is there a way to enable a "delay compress"
type command (like in
logrotate) for bro/broctl cron? I want to post process log files and it
would be much more efficient if they were uncompressed.
As far as I am aware, there is no command that delays compression of the
logs. However, you should be able to install custom postprocessing scripts
into broctl, which will be run on the uncompressed log files - this is how
the default connection summary reports are generated.
I never tried this, but I think you should just be able to add a script to
the "postprocessors" directory in broctl, and it should be called on
log-rotation for every log-file. You can use the implementation of the
script that generates the connection summary as a guideline on how to
I hope this helps,