Hi,
When I execute “bro -r xxx.pcap” command,the logs which generated last time would be covered (may be removed ).What I want to ask is How to keep the logs that were generated by using “bro -r xxx.pcap” command last time? If Bro have a feature to keep the logs file adding to the tail every time?
Thanks so much!
Hi 军波,
I think bro just truncate the log file, Ascii::DoInit function in file /logging/writers/ascii/Ascii.cc open log file in ‘O_WRONLY | O_CREAT | O_TRUNC’ mode,so if you want to append logs, maybe you need to change ‘O_TRUNC’ to ‘O_APPEND’.
I have not verified this method, hope this will help you.
Bowen Li
彭军波 <pengjunbo@1218.com.cn> 于2018年6月13日周三 上午9:27写道: