I have configured /opt/bro/etc/broctl.cfg LogRotationInterval = 1800 due to the default 3600 was causing too much data to be rotated and causing CPU spikes and dropped packets.
Since i have changed the interval to be 1800 i am noticing in my log directory every protocol log is logging from 00:00- 00:30 and then the next log is 00:00 - 01:00 so it seems both the 30minutes that i have defined to log and also the default 1 hour log is being logged also.
This seems weird to me as it wasnt doing this when i first installed bro… What process or sub process handles the gzip component of logs from the spool?
Also on another standalone worker i converted from ASCII to JSON as its going straight into our Splunk siem. Now JSON data is being logged for multiple days at a time in the current directory and not gzipping to the directory every half an hour like i have defined. The way i have got it to gzip is to deploy a config change and it gracefully shut down and start again, this causes the post processer to write to disk but while the daemon is running configured to output as json it doesnt log rotate correctly. Has anyone else run into this issue?
Cheers,
John