hi guys,
Is there an easy way to rotate bro log(in $BROHOME/spool/bro) to ‘per day log’ after 24 hours and only archive it in gzip format after 48 hours?
Thanks
Not out of the box, but the rotation is done via the script defined
by RotateLogs::default_postprocessor. Per default, that is set to
"<prefix>/share/broctl/scripts/archive-log" so you could take that
one as template to write your own.
Robin