I’m testing out the ElasticSearch writer in a Bro Cluster (2.2 release) along with the Ascii writer. I’ve set LogRotationInterval to an hour (3600) in broctl.cfg which I know sets or overrides Log::default_rotation_interval and in my local.bro I’ve overridden the rotation_interval parameter of the ElasticSearch Logger (defined in logs-to-elasticsearch policy) to be every 24 hours. Apparently, Bro seems to be ignoring the rotation_interval value.
I’ve tried not setting LogRotationInterval and setting Log::default_rotation_interval in my local.bro file but i got similar results.
Is there anyway to have the Ascii writer use a 1hr rotation interval while the ElasticSearch writer uses a different one? Looking through the docs/code it doesn’t look like LogAscii has a rotation_interval of its own.